Quest KACE SMA CVSS 10.0 Flaw Exploited in the Wild

Arctic Wolf observed active exploitation of a maximum-severity flaw in Quest KACE Systems Management Appliance starting the week of March 9, 2026. CVE-2025-32975 carries a perfect CVSS 10.0 score and allows attackers to bypass authentication entirely, impersonating legitimate administrators without valid credentials.

Quest patched this vulnerability back in May 2025. Ten months later, exposed instances are getting compromised.

How the Attack Unfolds

The exploitation chain moves fast once initial access is established. Arctic Wolf documented the following sequence in affected environments:

1. Attackers exploit CVE-2025-32975 to seize administrative accounts
2. Remote commands drop Base64-encoded payloads via curl requests
3. Additional admin accounts get created using runkbot.exe (KACE's background agent)
4. Windows Registry modifications establish persistence
5. Mimikatz deploys for credential harvesting
6. Reconnaissance maps the network before RDP pivots to backup and domain infrastructure

The attack demonstrates how a single unpatched appliance provides everything needed for full domain compromise. Similar patterns appeared in the Fortinet auth bypass attacks we covered, where network management tools became pivot points for lateral movement.

Why KACE Makes an Attractive Target

Systems Management Appliances hold elevated privileges by design. KACE deployments typically have:

• Administrative access across managed endpoints
• Stored credentials for deployment tasks
• Network visibility into asset inventory
• Trust relationships with domain controllers

Compromising the SMA gives attackers a legitimate management interface. Commands executed through KACE's normal functionality blend with expected traffic. Organizations monitoring for anomalous PowerShell or lateral movement might miss activity routed through their own management plane.

Affected Versions and Patches

Quest addressed CVE-2025-32975 in these versions:

• 13.0.385
• 13.1.81
• 13.2.183
• 14.0.341 (Patch 5)
• 14.1.101 (Patch 4)

If you're running anything older and the appliance faces the internet, assume compromise until proven otherwise. Arctic Wolf provided a C2 indicator at 216.126.225[.]156 associated with payload delivery in observed attacks.

Immediate Actions

Patch first. Then audit. The exploitation timeline suggests attackers had months to identify and probe exposed KACE instances since the fix shipped.

Beyond patching:

1. Remove internet exposure — SMA instances should not be directly accessible from the internet. Place them behind VPNs or zero-trust access controls
2. Audit administrator accounts — Look for recently created accounts or unexpected privilege escalations
3. Review KACE logs — Check for runkbot.exe command execution patterns and unusual administrative activity
4. Hunt for persistence — Registry modifications and scheduled tasks warrant inspection on systems managed by KACE

The Broader Pattern

This incident fits a concerning trend: attackers increasingly target network and systems management tools rather than endpoints directly. We've seen similar campaigns against VMware Aria Operations, Honeywell building management systems, and various Cisco management consoles. The Pwn2Own Automotive 2026 event demonstrated just how many critical zero-days exist across management infrastructure.

The logic is straightforward. Why attack individual systems when you can compromise the tool that manages hundreds of them?

Organizations should inventory their management infrastructure and treat these systems as tier-zero assets—equivalent to domain controllers in terms of security posture and monitoring requirements. For a deeper look at how these authentication bypass patterns keep appearing across network appliances, see our analysis of the recurring design flaws.