CVSS 10 Alert: Quest KACE SMA Auth Bypass Exploited to Hijack Managed Endpoints

Cybersecurity researchers have just dropped a report on a critical “management plane” threat that has spent the last year silently compromising enterprise networks. At the center of the storm is the Quest KACE Systems Management Appliance (SMA), a platform so deeply integrated into corporate environments that its compromise effectively hands an attacker the keys to every managed endpoint on the network.

According to the latest findings from Hunt.io, a massive wave of active exploitation began on March 9, 2026, targeting a vulnerability that holds a CVSS score of 10.0.

This critical flaw is an authentication bypass in the KACE SMA’s Single Sign-On (SSO) mechanism. As the report highlights, “The flaw allows an unauthenticated, network-reachable attacker to impersonate legitimate users, including administrators, without supplying any credentials”.

Despite a patch being available since May 2025, Hunt.io’s scan data reveals that more than 12,000 appliances are currently internet-facing and running vulnerable versions. These exposed instances are trivial to find, as they “actively disclose version strings” through standard HTTP headers that require no authentication to retrieve.

The investigation identified a primary victim: HIQ, a Boston-based Managed IT Services Provider (MSP). The breach of HIQ’s KACE appliance provided a demonstration of “downstream exposure.” An exfiltrated database dump revealed that this single appliance managed the endpoints for over 60 client organizations, ranging from law enforcement and government to healthcare and education.

For these 60 clients, the compromise was immediate and total. Attackers gained access to “all operator and customer account usernames, SHA-1 password hashes, and role assignments”.

On March 12, 2026, researchers captured an “exposed file directory” on the attacker’s C2 server, providing a rare, unfiltered look at the post-exploitation infrastructure. The 308 MB toolkit contained 219 files designed to cover every phase of an intrusion:

• Persistence via “kace_admin”: The primary method of staying in the network involved creating a backdoor local account named kace_admin and enrolling it in the Administrators and Remote Desktop Users groups.
• Domain-Wide Reconnaissance: A sophisticated PowerShell script (cm_disk.ps1) was found that “queries Active Directory to enumerate up to 10,000 domain computers,” collecting hostnames, OS versions, disk usage, and even identifying who was actively logged into each machine.
• Custom SOCKS5 Tunneling: Attackers used a custom TCP-multiplexed tunnel (1.py and 2.py) to “evade firewall detection” by initiating outbound connections from the victim side back to the C2.

While the attackers were highly successful, they were sloppy with their own security. By leaving their C2 directory open and unauthenticated, they exposed metadata that painted a “precise picture of the operator’s working environment”. Forensic analysis of LNK files revealed the attacker was operating from a rented VPS with the hostname windows-utah-8g, using a Tor Browser for anonymity and the Session messaging app for encrypted communications.

If your organization utilizes a KACE SMA appliance, the following steps are critical:

• Patch Immediately: Ensure your appliance is updated to version 13.0.385, 14.0.341 Patch 5, 14.1.101 Patch 4, or higher.
• Hunt for “kace_admin”: Search all Windows hosts for the creation of this local account. Its presence “confirms the host was reached by the attacker”.
• Firewall the C2: Block all traffic to 216.126.225[.]156 at your perimeter.