CVE-2025-32975 is a critical flaw in Quest KACE SMA used for endpoint management. If exploited, it could impact all managed systems across organizations.
CVE-2025-32975 is a critical flaw in Quest KACE SMA used for endpoint management. If exploited, it could impact all managed systems across organizations.
Quest KACE SMA is an on-premises endpoint management platform for software deployment, patching, and device control. Its central role makes it a high-value target, as compromise can expose all managed endpoints.
“CVE-2025-32975 is a critical authentication bypass vulnerability in KACE SMA’s SSO authentication handling mechanism with a CVSS score of 10.0.” reads the report published by Hunt.io. “The flaw allows an unauthenticated, network-reachable attacker to impersonate legitimate users, including administrators, without supplying any credentials.”
There is a particular kind of dread that comes with reading an incident report where you realize the attacker did not need to be clever. They just needed to be patient — and wait for someone to forget to patch.
That is essentially the story behind CVE-2025-32975, a critical vulnerability in Quest KACE Systems Management Appliance, a tool used by IT teams across thousands of organizations to manage software, push patches, and control endpoints from a single console. It is precisely the kind of tool that, when compromised, does not just affect the company running it. It affects every organization whose devices that console manages.
The vulnerability itself is as bad as it gets on paper: a CVSS score of 10.0, which is the maximum possible. Quest published a fix in May 2025. Ten months later, attackers were actively exploiting instances that had never been updated.
What made this case unusually revealing was not just the breach itself, but a mistake the attacker made afterward. After compromising a managed services provider called HIQ, which handled IT for dozens of organizations across the Boston area, the attacker staged their entire toolkit on a server with no password protection on the directory. Hunt.io’s scanning infrastructure caught it three days into the operation, in full public view, sitting on a plain HTTP server anyone could browse.
“The 308 MB toolkit covers the full intrusion lifecycle across 219 files, including reverse shells, a bidirectional C2 file server, account creation, an SMB credential sprayer, WMI reconnaissance, and a custom TCP-multiplexed SOCKS5 tunnel for persistent, covert network access.” continues the report.
This was not the work of a casual opportunist. The toolkit was organized, functional, and covered every phase of a professional intrusion — from the first shell access all the way to maintaining a persistent, hidden channel through the victim’s network.
The depth of what was then extracted makes for uncomfortable reading. The attacker pulled a 512 MB database dump from the KACE appliance, which turned out to contain the complete operational picture of HIQ’s IT business: staff accounts, client lists, helpdesk tickets describing work done at police departments, schools, healthcare organizations, and local government agencies.
“The exfiltrated MariaDB dump reveals the appliance-managed endpoints for over 60 named client organizations spanning law enforcement, government, healthcare, education, and the private sector.” states Hunt.io.
None of those 60-plus organizations had anything to do with KACE. They were clients of the MSP that used it. This is the supply chain risk that keeps security teams awake: you can do everything right within your own walls and still end up in someone’s database dump because a vendor you trusted was running unpatched software.
There are also traces in the toolkit pointing to at least two other victims beyond HIQ. A reconnaissance script contained hardcoded credentials for an Indonesian insurance company, suggesting those had already been harvested from a separate, earlier compromise and were being reused for further lateral movement.
The attacker also used Tor Browser and an encrypted messenger for anonymity, and metadata inside two Windows shortcut files placed them on a rented VPS running Windows Server 2019 — a rented machine with an auto-generated hostname, the kind you spin up for an operation and discard.
“Hunt.io’s scan data shows more than 12,000 K1000 appliances currently internet-facing and disclosing version strings that predate the patch, across standard and non-standard ports.”
Twelve thousand. And hiding the appliance on a non-standard port, it turns out, does nothing to prevent detection.
The lesson here is not complicated. A maximum-severity authentication bypass, left unpatched for ten months on an internet-exposed management platform, led to the exposure of over sixty downstream organizations — law enforcement, hospitals, schools — none of whom ever touched the vulnerable software. The attacker’s toolkit was sophisticated. The initial access was not. It was a login screen with no lock on it, waiting for someone to walk through.
If your organization uses KACE SMA, the patch has existed since May 2025. The question is simply whether you have applied it.
The researchers also published Indicators of Compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Quest KACE SMA)
