Ddos 
Security researchers at Arctic Wolf have issued an urgent warning after observing a spike in malicious activity targeting unpatched Quest KACE Systems Management Appliances (SMA). Starting the week of March 9, 2026, threat actors were caught exploiting a year-old critical vulnerability to hijack enterprise endpoints and gain full administrative control over corporate networks.
The flaw, tracked as CVE-2025-32975, is particularly dangerous because it targets an appliance designed for centralized managementβgiving attackers a key to software deployment, patching, and monitoring across an entire organization.
The vulnerability lies in the appliance’s Single Sign-On (SSO) authentication handling mechanism. By exploiting this weakness, hackers can bypass standard security checks entirely.
“CVE-2025-32975 is a critical authentication bypass vulnerability that allows threat actors to impersonate legitimate users without valid credentials”.
Once the authentication is bypassed, the results are catastrophic: a “complete administrative takeover”. In recent attacks, researchers observed threat actors achieving this takeover almost immediately after initial access, using the applianceβs own KPlugin RunProcess functionality to execute remote commands and deliver Base64-encoded payloads.
Once inside, the threat actors moved quickly to secure their foothold and expand their reach:
- Account Creation: Attackers used the legitimate Quest KACE process runkbot.exe to create new administrative accounts and add them to “domain admins” groups.
- Stealthy Execution: PowerShell scripts were executed in a “bypassed and hidden context” to modify system registries and enable unauthorized services.
- Credential Harvesting: The well-known tool Mimikatzβsometimes disguised as asd.exeβwas deployed to harvest user credentials.
- Network Discovery: Attackers enumerated logged-in users and domain controllers to map out the network infrastructure.
Most alarmingly, the attackers successfully moved laterally to gain RDP access to critical backup infrastructure, including Veeam and Veritas systems, as well as core domain controllers.
Although a patch for this vulnerability has been available since May 2025, many publicly exposed instances remain vulnerable. Arctic Wolf emphasizes that these appliances should never be directly accessible from the open internet.
| Affected Product Version | Minimum Fixed Version |
| 13.0.x |
13.0.385 or later |
| 13.1.x |
13.1.81 or later |
| 14.0.x |
14.0.341 (Patch 5) or later |
| 14.1.x |
14.1.101 (Patch 4) or later |
If your organization requires remote access to KACE SMA, researchers strongly recommend restricting that access through a VPN or firewall.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
