Quest KACE SMA Vulnerability Exploited, Threatening Full System Takeover
Threat actors are suspected of actively exploiting a critical security vulnerability in Quest KACE Systems Management Appliance (SMA) after it was left unpatched by some organizations. Cybersecurity firm Arctic Wolf reported observing malicious activity consistent with the exploitation of CVE-2025-32975 on internet-exposed SMA systems as early as the week of March 9, 2026. This critical flaw, which carries a CVSS score of 10.0, allows attackers to bypass authentication, impersonate legitimate users, and potentially gain complete administrative control over affected systems.
The vulnerability, designated CVE-2025-32975, was officially patched by Quest in May 2025. However, the ongoing exploitation suggests that a number of organizations have failed to apply these crucial security updates, leaving their Quest KACE SMA instances vulnerable to severe compromise. The full scope and ultimate objectives of these attacks remain undetermined at this time.
Details of the Exploitation Campaign
According to Arctic Wolf’s analysis, attackers are believed to have weaponized the authentication bypass flaw to gain administrative privileges on compromised SMA systems. Once access was achieved, threat actors reportedly executed remote commands to download Base64-encoded payloads from an external server, identified as 216.126.225[.]156, utilizing the curl command.
Following the initial payload deployment, the attackers moved to establish further control and persistence within the compromised environments. This included the creation of additional administrative accounts leveraging runkbot.exe, a background process integral to the SMA Agent responsible for script execution and installation management. Furthermore, evidence suggests modifications to the Windows Registry were conducted via PowerShell scripts, potentially for maintaining persistence or altering system configurations.
Broader Post-Exploitation Activities
The observed malicious activities extended beyond initial system takeover. Threat actors were documented engaging in credential harvesting techniques, notably employing the well-known Mimikatz tool. This indicates an effort to capture sensitive login information from the compromised systems.
In addition to credential theft, the attackers conducted extensive discovery and reconnaissance operations. This involved enumerating logged-in users and existing administrator accounts, as well as executing network commands such as “net time” and “net group” to map out the network infrastructure and identify further targets. Critically, the threat actors also gained Remote Desktop Protocol (RDP) access to sensitive backup infrastructure, specifically mentioning Veeam and Veritas, alongside domain controllers, posing a significant risk to data integrity and overall network security.
Mitigation and Ongoing Concerns
To address this pressing security threat, administrators are strongly advised to implement the latest security updates for their Quest KACE SMA deployments immediately. Furthermore, it is crucial to avoid exposing SMA instances directly to the internet, thereby reducing the attack surface. The patched versions of the Quest KACE SMA that address CVE-2025-32975 include 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4).
The continued exploitation of this critical Quest KACE SMA vulnerability underscores the persistent challenge of patch management in complex IT environments. Organizations that have not yet updated their systems remain at high risk of data breaches, system disruptions, and unauthorized access. The evolving nature of these attacks means organizations must remain vigilant, monitor their networks for suspicious activity, and prioritize the timely application of security patches to defend against emerging threats. Further intelligence regarding the specific motives and full impact of these attacks is anticipated as investigations continue.