Critical Quest KACE Vulnerability Potentially Exploited in Attacks

Summary

Arctic Wolf detected active exploitation of CVE-2025-32975, a critical authentication bypass vulnerability in Quest KACE Systems Management Appliance (SMA) affecting unpatched, internet-exposed instances. The flaw allows unauthenticated attackers to impersonate users and achieve full administrative control. Exploitation began around early March 2026, with affected organizations primarily in the education sector across multiple regions; the attack appears opportunistic rather than targeted.

Full text

Arctic Wolf has detected suspicious activity in client networks that appears tied to the exploitation of CVE-2025-32975, a critical authentication bypass flaw affecting unpatched Quest KACE Systems Management Appliance (SMA) instances exposed to the internet. KACE SMA is an on-premises tool used for centralized endpoint management, including asset inventory, software distribution, patching, and monitoring. CVE-2025-32975, which Quest patched in May 2025, allows unauthenticated threat actors to impersonate legitimate users, potentially leading to full administrative takeover of the appliance. According to Arctic Wolf, attackers appear to have exploited CVE-2025-32975 to gain initial access to a system, after which they achieved administrative control. There do not seem to be any other reports describing potential exploitation of this security hole. The cybersecurity firm found no signs that three related vulnerabilities (CVE-2025-32976, CVE-2025-32977, and CVE-2025-32978), also addressed in May 2025, were involved in the observed incidents. Advertisement. Scroll to continue reading. The activity observed by Arctic Wolf likely began in early March 2026. It’s unclear who is behind the attack and what their goal is. “At this time, we are unable to provide additional details regarding the attacker or their motivation. Although some affected customers were in the education sector in different regions, we do not have sufficient data to determine whether this sector was specifically targeted,” Arctic Wolf Labs told SecurityWeek. It added, “Given that the exploitation involved an internet-exposed appliance, it was likely opportunistic.” Organizations still running outdated Quest KACE SMA versions are urged to apply the available patches immediately to prevent intrusions. Related: Critical Langflow Vulnerability Exploited Hours After Public Disclosure Related: Critical ScreenConnect Vulnerability Exposes Machine Keys Related: Russian APT Exploits Zimbra Vulnerability Against Ukraine Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Aisuru and Kimwolf DDoS Botnets Disrupted in International OperationMarquis Data Breach Affects 672,000 IndividualsCISA Warns of Attacks Exploiting Recent SharePoint VulnerabilityCisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware AttacksIranian Hackers Likely Used Malware-Stolen Credentials in Stryker BreachResearcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t PatchUK Companies House Exposed Details of Millions of Firms Google, Meta, Microsoft Among Signatories of Pact to Combat Scams Latest News In Other News: New Android Safeguards, Operation Alice, UK Toughens Cyber Reporting3 Men Charged With Conspiring to Smuggle US Artificial Intelligence to ChinaEclypsium Raises $25 Million for Device Supply Chain SecurityUS Confirms Handala Link to Iran Government Amid Takedown of Hackers’ SitesCape Raises $100 Million for Protection Against Cellular Security ThreatsNavia Data Breach Impacts 2.7 MillionThousands of Magento Sites Hit in Ongoing Defacement CampaignAllure Security Raises $17 Million for Online Brand Protection Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveeSentire has named James C. Foster as Chief Executive Officer.Green Impact Exchange has appointed John Visneski as Chief Information Security Officer.Kai has named Alfredo Hickman as Chief Information Security Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2025-32975
• cve — CVE-2025-32976
• cve — CVE-2025-32977
• cve — CVE-2025-32978