Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Quest KACE SMA authentication bypass (CVE-2025-32975)

Vulnerability
First reported
Last updated
Happening score
H score 49
1 unique sources, 1 articles

Summary

Hide ▲

Quest KACE SMA systems exposed to the internet were found at risk from CVE-2025-32975, an authentication bypass flaw that can enable administrative takeover and remote command execution. Malicious activity consistent with exploitation was observed beginning the week of March 9, 2026 on unpatched appliances. Although Quest patched the bug in May 2025, exposed instances that missed the update remained vulnerable. The flaw matters because successful abuse can let attackers impersonate users, create new admin access, and run commands on affected systems.

Related Happenings

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

Open Happening

Nginx UI auth-bypass exploitation wave (CVE-2026-33032)

Exploitation Wave
First: 16.04.2026 01:35 Last: 16.04.2026 01:35 Sources 1

About this happening: **CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...

Open Happening

Marimo CVE-2026-39987 exploitation wave

Exploitation Wave
First: 12.04.2026 17:20 Last: 12.04.2026 17:20 Sources 1

About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...

Open Happening

TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities

Campaign
First: 02.04.2026 00:35 Last: 02.04.2026 00:35 Sources 1

About this happening: The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...

Open Happening

Langflow CVE-2026-33017 exploitation wave

Exploitation Wave
First: 20.03.2026 12:20 Last: 20.03.2026 12:20 Sources 1

About this happening: **CVE-2026-33017** in **Langflow** is being exploited in a fast-moving **early wave** that surfaced within **20 hours** of the advisory, putting exposed instances at immediate ris...

Open Happening

Timeline

  1. 23.03.2026 08:15 2 articles · 2mo ago

    Arctic Wolf reports suspected exploitation of Quest KACE SMA CVE-2025-32975

    Initial Disclosure

    Arctic Wolf reported malicious activity in customer environments consistent with exploitation of CVE-2025-32975 against unpatched Quest KACE Systems Management Appliance (SMA) systems exposed to the internet. The activity was observed starting the week of March 9, 2026 and included administrative account takeover, remote commands to drop Base64-encoded payloads from 216.126.225[.]156 via curl, creation of additional administrative accounts through runkbot.exe, Windows Registry modifications, credential harvesting with Mimikatz, and RDP access to backup infrastructure and domain controllers. Quest patched CVE-2025-32975 in May 2025, but exposed SMA instances that missed the update remained vulnerable.

    Show sources
    Open in new tab