Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems - The Hacker News
The Hacker NewsArchived Jun 07, 2026✓ Full text saved
Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems The Hacker News
Full text archived locally
✦ AI Summary· Claude Sonnet
Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems
Ravie LakshmananMar 23, 2026Vulnerability / Endpoint Security
Threat actors are suspected to be exploiting a maximum-severity security flaw impacting Quest KACE Systems Management Appliance (SMA), according to Arctic Wolf.
The cybersecurity company said it observed malicious activity starting the week of March 9, 2026, in customer environments that's consistent with the exploitation of CVE-2025-32975 on unpatched SMA systems exposed to the internet. It's currently not known what the end goals of the attack are.
CVE-2025-32975 (CVSS score: 10.0) refers to an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. Successful exploitation of the flaw could facilitate the complete takeover of administrative accounts. The issue was patched by Quest in May 2025.
In the malicious activity detected by Arctic Wolf, threat actors are believed to have weaponized the vulnerability to seize control of administrative accounts and execute remote commands to drop Base64-encoded payloads from an external server (216.126.225[.]156) via the curl command.
The unknown attackers then proceeded to create additional administrative accounts via "runkbot.exe," a background process associated with the SMA Agent that's used to run scripts and manage installations. Also detected were Windows Registry modifications via a PowerShell script for possible persistence or system configuration changes.
Other actions undertaken by the threat actors are listed below -
Conducting credential harvesting using Mimikatz.
Performing discovery and reconnaissance by enumerating logged-in users and administrator accounts, and running "net time" and "net group" commands.
Obtaining remote desktop protocol (RDP) access to backup infrastructure (Veeam, Veritas) and domain controllers.
To counter the threat, administrators are advised to apply the latest updates and avoid exposing SMA instances to the internet. The issue has been addressed in versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4).
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
cybersecurity, endpoint security, Malware, network security, remote code execution, Threat Intelligence, Vulnerability, windows security
⚡ Top Stories This Week
⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation
OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure
Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited
Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
Malicious npm Package Stole Files From Claude AI User Directory via GitHub
PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded
Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites
ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More
Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
Load More ▼
⭐ Featured Resources
Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo)
[Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)
Learn How to Stop Attacks Before They Reach Your EDR – With PHASR
Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report