Threat actors are actively exploiting a maximum-severity security flaw in Quest KACE Systems Management Appliance (SMA), according to Arctic Wolf research. The vulnerability, tracked as CVE-2025-32975 with a CVSS score of 10.0, allows attackers to completely bypass authentication and impersonate legitimate users without valid credentials.
Active Exploitation in the Wild
Arctic Wolf observed malicious activity beginning the week of March 9, 2026, targeting customer environments running unpatched SMA systems exposed to the internet. The attacks demonstrate sophisticated post-exploitation techniques indicating the threat actors have clearly defined objectives.
Attack Chain Details
Upon exploiting CVE-2025-32975, the attackers:
- Seized control of administrative accounts
- Executed remote commands to drop Base64-encoded payloads via curl from external server 216.126.225[.]156
- Created additional administrative accounts using runkbot.exe, the SMA Agent background process
- Modified Windows Registry via PowerShell scripts for persistence
- Conducted credential harvesting using Mimikatz
- Performed discovery and reconnaissance, enumerating logged-in users and administrator accounts
- Obtained RDP access to backup infrastructure (Veeam, Veritas) and domain controllers
Why It Matters
Quest KACE SMA is widely deployed in enterprise environments for endpoint management, software distribution, and IT asset inventory. A complete authentication bypass with CVSS 10.0 severity means attackers can gain full administrative control without any credentials — effectively owning the organization’s endpoint management infrastructure. The targeting of backup systems (Veeam, Veritas) and domain controllers suggests ransomware deployment may be the ultimate objective.
Mitigation
Organizations running Quest KACE SMA should:
- Immediately apply patches: Versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4) address the vulnerability
- Avoid exposing SMA instances directly to the internet
- Review administrative account access and audit logs for suspicious activity
- Check for indicators of compromise including connections to 216.126.225[.]156
Source: The Hacker News | Arctic Wolf Research
