CVE-2025-32975 - Exploitation of Quest KACE Systems

The Flaw

CVE-2025-32975 is a critical authentication bypass vulnerability found in the Quest KACE Systems Management Appliance (SMA). This flaw allows attackers to impersonate legitimate users without needing valid credentials. The vulnerability stems from issues in the Single Sign-On (SSO) authentication handling mechanism, enabling an attacker to gain complete administrative control over the system. The vulnerability was patched in May 2025, yet many systems remain unpatched and exposed.

Starting the week of March 9, 2026, Arctic Wolf began observing malicious activity potentially linked to this vulnerability. The exploitation primarily targets unpatched Quest KACE SMA instances that are publicly accessible on the internet. The urgency of addressing this vulnerability cannot be overstated, as it poses a significant risk to organizations relying on these systems for endpoint management.

What's at Risk

Organizations using Quest KACE SMA could face severe consequences if they do not address this vulnerability. The administrative takeover achieved through CVE-2025-32975 allows attackers to execute malicious commands, create unauthorized accounts, and harvest credentials. The potential for data breaches and unauthorized access to sensitive information is high, especially for organizations that manage critical infrastructure or sensitive data.

The observed exploitation includes various tactics, such as executing remote commands and establishing command-and-control communication. If attackers gain access, they can manipulate system settings, deploy malware, or use the compromised system as a launchpad for further attacks within the network.

Patch Status

The vulnerability was officially patched in May 2025, yet many organizations have not implemented the necessary updates. Arctic Wolf has not reported any known exploitation of CVE-2025-32975 until recently, but the presence of unpatched systems in the wild raises alarms. Organizations must prioritize patching to mitigate the risk of exploitation.

Failure to apply the patch leaves systems vulnerable to attackers who can easily exploit this flaw. Regular patch management is crucial to maintaining security and preventing unauthorized access. Organizations should also monitor their systems for any signs of exploitation or unusual activity.

Immediate Actions

To protect against the risks posed by CVE-2025-32975, organizations should take immediate action:

• Patch all Quest KACE SMA instances to the latest version to close the vulnerability.
• Audit user accounts and remove any unauthorized administrative accounts created during potential exploitation.
• Monitor logs for unusual activity, such as unexpected administrative changes or command executions.
• Implement network segmentation to limit exposure of critical systems to the internet.

By following these steps, organizations can significantly reduce their risk and protect their systems from exploitation. The time to act is now, as the consequences of inaction could be dire.