Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Authentication Bypass in Quest KACE Systems Management Appliance SSO

IdentifiersCVE-2025-32975CWE-287· Improper Authentication

CVE-2025-32975 is a critical improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA) affecting the SSO authentication handling mechanism. The flaw allows a remote, unauthenticated attacker to impersonate legitimate users, including administrators, without supplying valid credentials. Available reporting indicates the issue stems from improper validation of authentication tokens or session state during the SSO process, causing the appliance to treat crafted requests as authenticated. The vulnerability affects Quest KACE SMA 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 Patch 5, and 14.1.x before 14.1.101 Patch 4. Public reporting also states exploitation has been observed against unpatched, internet-exposed instances.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables full authentication bypass and impersonation of legitimate users, up to and including administrative accounts. In practice this can result in complete administrative takeover of the SMA appliance. Because KACE SMA is an endpoint and systems management platform, compromise can enable an attacker to deploy software, execute commands, modify configurations, create rogue administrative accounts, access managed endpoint data, and potentially pivot into broader enterprise environments. Observed post-exploitation activity reportedly included remote command execution via appliance functionality, payload download, credential theft, persistence actions, and access to backup infrastructure and domain controllers, indicating substantial downstream compromise potential.

Mitigation

If you can’t patch tonight, do this now.

Until remediation is completed, remove Quest KACE SMA from direct internet exposure, restrict administrative access to trusted networks or VPN-only paths, and monitor for signs of compromise. Hunt for unauthorized or newly created administrative accounts, review authentication and administrative activity, inspect for suspicious use of runkbot.exe, PowerShell, curl, and credential-dumping tools, and investigate any connections to reported infrastructure such as 216.126.225.156. Rotate KACE administrative credentials and any credentials stored on or accessible from the appliance. Given observed in-the-wild exploitation, any unpatched internet-facing instance should be treated as potentially compromised and subjected to incident response review.

Remediation

Patch, then assume compromise.

Upgrade Quest KACE SMA to a fixed release. Reported fixed versions are 13.0.385, 13.1.81, 13.2.183, 14.0.341 Patch 5, and 14.1.101 Patch 4. For supported 13.x branches, Quest also made a security hotfix available through the support portal for application via the Admin console under Settings and Appliance Updates. Organizations should prioritize patching any internet-exposed or otherwise reachable SMA instance immediately and validate that the appliance is running a non-vulnerable build.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Quest SoftwareKace Systems Management Applianceapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

77 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

77 SOURCESView more in app
security affairsNews
May 13, 2026
Quest KACE SMA flaw CVE-2025-32975: when one unpatched tool opens the door to 60 organizations

A critical authentication bypass vulnerability in Quest KACE SMA's SSO authentication handling that can allow unauthenticated attackers to impersonate legitimate users, including administrators, on an internet-exposed endpoint management platform.

Read more
security affairsNews
Apr 21, 2026
U.S. CISA adds Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities catalog

An improper authentication vulnerability in Quest KACE Systems Management Appliance that has been observed in opportunistic attacks enabling administrative access.

Read more
thecyberexpress com vulnerabilitiesNews
Apr 21, 2026
CISA Adds 8 Flaws To KEV Catalog, Cisco Catalyst Included

A critical improper authentication flaw in Quest KACE Systems Management Appliance that allows attackers to impersonate legitimate users without credentials.

Read more
cyberthroneNews
Apr 21, 2026
CISA Adds Eight Actively Exploited Vulnerabilities to KEV Catalog - TheCyberThrone

An improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA).

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity69

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-32975
NVD
nvd.nist.gov/vuln/detail/CVE-2025-32975
MITRE CWE · CWE-287
Improper Authentication
Vendor Advisory
support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978
Third Party Advisory
seclists.org/fulldisclosure/2025/Jun/25
Third Party Advisory
seclists.org/fulldisclosure/2025/Jun/22
Third Party Advisory
seralys.com/research/CVE-2025-32975.txt
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32975