CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 07, 2026

Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems - The Hacker News

The Hacker News Archived Jun 07, 2026 ✓ Full text saved

Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems The Hacker News

Full text archived locally
✦ AI Summary · Claude Sonnet


    Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems Ravie LakshmananMar 23, 2026Vulnerability / Endpoint Security Threat actors are suspected to be exploiting a maximum-severity security flaw impacting Quest KACE Systems Management Appliance (SMA), according to Arctic Wolf. The cybersecurity company said it observed malicious activity starting the week of March 9, 2026, in customer environments that's consistent with the exploitation of CVE-2025-32975 on unpatched SMA systems exposed to the internet. It's currently not known what the end goals of the attack are. CVE-2025-32975 (CVSS score: 10.0) refers to an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. Successful exploitation of the flaw could facilitate the complete takeover of administrative accounts. The issue was patched by Quest in May 2025. In the malicious activity detected by Arctic Wolf, threat actors are believed to have weaponized the vulnerability to seize control of administrative accounts and execute remote commands to drop Base64-encoded payloads from an external server (216.126.225[.]156) via the curl command. The unknown attackers then proceeded to create additional administrative accounts via "runkbot.exe," a background process associated with the SMA Agent that's used to run scripts and manage installations. Also detected were Windows Registry modifications via a PowerShell script for possible persistence or system configuration changes. Other actions undertaken by the threat actors are listed below - Conducting credential harvesting using Mimikatz. Performing discovery and reconnaissance by enumerating logged-in users and administrator accounts, and running "net time" and "net group" commands. Obtaining remote desktop protocol (RDP) access to backup infrastructure (Veeam, Veritas) and domain controllers. To counter the threat, administrators are advised to apply the latest updates and avoid exposing SMA instances to the internet. The issue has been addressed in versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4). Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, endpoint security, Malware, network security, remote code execution, Threat Intelligence, Vulnerability, windows security ⚡ Top Stories This Week ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm Malicious npm Package Stole Files From Claude AI User Directory via GitHub PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit Load More ▼ ⭐ Featured Resources Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo) [Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed) Learn How to Stop Attacks Before They Reach Your EDR – With PHASR Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 07, 2026
    Archived
    Jun 07, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗