Executive Summary

A critical authentication bypass vulnerability in the Quest KACE Systems Management Appliance (SMA), tracked as CVE-2025-32975, is now under active exploitation, nearly a year after a patch was released. The vulnerability, which carries a perfect CVSS score of 10.0, allows a remote, unauthenticated attacker to completely take over an unpatched, internet-facing KACE SMA instance. Security firm Arctic Wolf reported observing attacks beginning in early March 2026 where threat actors exploited this flaw to gain initial administrative access. Post-exploitation activities include deploying the credential dumper Mimikatz, creating persistent admin accounts, and moving laterally to compromise domain controllers and backup servers. This campaign serves as a stark reminder that legacy vulnerabilities remain a significant threat, and organizations are strongly urged to ensure their KACE SMA instances are patched and isolated from the internet.

Vulnerability Details

• CVE ID: CVE-2025-32975
• CVSS Score: 10.0 (Critical)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
• Description: An authentication bypass vulnerability that allows an unauthenticated attacker to impersonate any user, including a full administrator, by sending a specially crafted request to the appliance.
• Affected Product: Quest KACE Systems Management Appliance (SMA)
• Patch Released: May 2025

Because the KACE SMA is a centralized tool for managing endpoints—handling asset inventory, software distribution, and patching—its compromise provides a powerful foothold for attackers to control an entire fleet of corporate devices.

Exploitation Status

As of March 2026, active exploitation has been confirmed in the wild by Arctic Wolf. The attacks appear to be opportunistic, targeting any unpatched KACE SMA appliance that is discoverable on the internet. While some victims were in the education sector, the threat is not limited to any specific vertical.

Attack Chain

1. Initial Access: The attacker exploits CVE-2025-32975 on an internet-exposed KACE SMA to gain administrative access without credentials (T1190 - Exploit Public-Facing Application).
2. Execution & Persistence: The attacker uses their administrative control to execute remote commands. They create new administrative accounts on the KACE appliance to ensure persistent access (T1078.001 - Default Accounts).
3. Credential Access: The attackers deploy and execute Mimikatz on the KACE server to dump credentials (T1003.001 - OS Credential Dumping: LSASS Memory).
4. Lateral Movement: Using the stolen credentials, the attackers move laterally from the KACE server to other high-value targets on the network, such as domain controllers and backup servers (T1021.002 - Remote Services: SMB/Windows Admin Shares).

Impact Assessment

• Complete Network Compromise: A compromised KACE SMA is a 'keys to the kingdom' event. It gives attackers a trusted, centralized platform from which to deploy malware to every managed endpoint, harvest credentials, and take over the entire network.
• Data Breach: Access to domain controllers and backup servers can lead to a full-scale data breach of all corporate information.
• Ransomware Deployment: The level of access gained is ideal for deploying ransomware across the entire organization for maximum impact.

Detection Methods

1. Check for Rogue Admins: Audit all administrative accounts on your KACE SMA appliance. Look for any accounts that were recently created or are unrecognized.
2. Review KACE Logs: Analyze KACE SMA audit logs for suspicious administrative activity, such as the execution of scripts or commands, originating from unknown IP addresses.
3. Endpoint Monitoring: Use EDR to monitor for the execution of Mimikatz or other credential dumping tools on the KACE server or other endpoints.
4. Network Monitoring: Look for lateral movement attempts originating from the KACE SMA's IP address, such as an unusual number of SMB or RDP connections to other servers.

Remediation Steps

1. Patch Immediately (D3-SU): The most critical step is to ensure your KACE SMA is updated to a version that includes the patch for CVE-2025-32975, released in May 2025. This is a direct application of D3FEND Software Update (D3-SU).
2. Isolate from the Internet (D3-NI): There is rarely a valid reason for a systems management appliance like KACE SMA to be exposed to the public internet. Place the appliance behind a firewall and VPN, and restrict access to only authorized administrators. This is a critical D3FEND Network Isolation (D3-NI) measure.
3. Hunt for Compromise: If you find your system was unpatched and exposed, assume compromise. Initiate a full incident response investigation. This includes rotating all credentials, checking for persistence mechanisms, and analyzing logs for attacker activity.