π―Basically, a security flaw lets hackers take control of certain computer systems without permission.
The Flaw
CVE-2025-32975 is a critical vulnerability found in the Quest KACE Systems Management Appliance (SMA). This flaw allows threat actors to bypass authentication, enabling them to impersonate legitimate users. The vulnerability resides in the Single Sign-On (SSO) authentication process, which can lead to complete administrative takeover of the appliance. Notably, this vulnerability was patched in May 2025, yet many instances remain unpatched and exposed to the internet.
Starting the week of March 9, 2026, Arctic Wolf detected malicious activities in customer environments that appear to be linked to the exploitation of this vulnerability. The attackers leveraged the flaw to gain unauthorized access, indicating that organizations must act swiftly to mitigate risks.
What's at Risk
The Quest KACE SMA is designed for centralized endpoint management, which includes inventory management, software deployment, and endpoint monitoring. If compromised, attackers can gain administrative control over the entire system, potentially leading to widespread data breaches and operational disruptions.
The observed exploitation involved various techniques, including executing remote commands and creating unauthorized administrative accounts. These actions could allow attackers to manipulate system settings, harvest credentials, and even move laterally within the network to access other critical systems.
Patch Status
As of now, Arctic Wolf emphasizes the importance of upgrading to the latest fixed version of Quest KACE SMA. The following versions are recommended:
- Version 13.0.385 or later
- Version 13.1.81 or later
- Version 13.2.183 or later
- Version 14.0.341 (Patch 5) or later
- Version 14.1.101 (Patch 4) or later
Organizations should follow their internal patching and testing guidelines to minimize operational impacts while ensuring that their systems are secured against this vulnerability.
Immediate Actions
To protect against CVE-2025-32975, Arctic Wolf recommends the following immediate actions: By taking these steps, organizations can significantly reduce their risk of exploitation and protect sensitive data from unauthorized access.
Containment
- 1.Upgrade to the latest fixed version of Quest KACE SMA to close the vulnerability.
- 2.Remove any publicly exposed instances of KACE SMA from the internet. If remote access is necessary, it should be secured through a VPN or firewall.
Remediation
π Pro insight: The exploitation of CVE-2025-32975 underscores the critical need for timely patch management in enterprise environments.
