Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems

Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems Ravie LakshmananMar 23, 2026Vulnerability / Endpoint Security Threat actors are suspected to be exploiting a maximum-severity security flaw impacting Quest KACE Systems Management Appliance (SMA), according to Arctic Wolf. The cybersecurity company said it observed malicious activity starting the week of March 9, 2026, in customer environments that's consistent with the exploitation of CVE-2025-32975 on unpatched SMA systems exposed to the internet. It's currently not known what the end goals of the attack are. CVE-2025-32975 (CVSS score: 10.0) refers to an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. Successful exploitation of the flaw could facilitate the complete takeover of administrative accounts. The issue was patched by Quest in May 2025. In the malicious activity detected by Arctic Wolf, threat actors are believed to have weaponized the vulnerability to seize control of administrative accounts and execute remote commands to drop Base64-encoded payloads from an external server (216.126.225[.]156) via the curl command. The unknown attackers then proceeded to create additional administrative accounts via "runkbot.exe," a background process associated with the SMA Agent that's used to run scripts and manage installations. Also detected were Windows Registry modifications via a PowerShell script for possible persistence or system configuration changes. Other actions undertaken by the threat actors are listed below - Conducting credential harvesting using Mimikatz. Performing discovery and reconnaissance by enumerating logged-in users and administrator accounts, and running "net time" and "net group" commands. Obtaining remote desktop protocol (RDP) access to backup infrastructure (Veeam, Veritas) and domain controllers. To counter the threat, administrators are advised to apply the latest updates and avoid exposing SMA instances to the internet. The issue has been addressed in versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4). Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, endpoint security, Malware, network security, remote code execution, Threat Intelligence, Vulnerability, windows security Trending News Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Load More ▼ Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Fix Security Noise by Focusing Only on Validated Exposures Get the 2026 ASV Report to Benchmark Top Validation Tools