TP-EXP-2025-0002 CVE-2025-32975 critical Patched AI Draft

Quest KACE SMA SSO Authentication Bypass (CVE-2025-32975)

CVE CVE-2025-32975 Platform Quest KACE Systems Management Appliance (SMA) Type Authentication Bypass

Severity CRITICAL

Status Patched

Zero-Day No

Disclosed May 1, 2025

Patched May 1, 2025

Researcher Independent security researchers CISA KEV Listed

Severity Assessment

Exploitability: 10/10
Impact: 10/10
Weaponization Risk: 9.5/10
Patch Urgency: 10/10
Detection Coverage: 4/10

Summary

CVE-2025-32975 is a CVSS 10.0 authentication bypass in the Single Sign-On (SSO) authentication mechanism of Quest KACE Systems Management Appliance (SMA). The vulnerability allows a remote, unauthenticated attacker to bypass authentication on the management interface and gain full administrative control over the appliance. KACE SMA is an endpoint management platform used by enterprises to manage and deploy software, patches, and configurations across fleets of endpoints — making full administrative control a direct path to wide-impact compromise of managed systems.

Quest released patches in May 2025 across multiple supported versions. Despite patch availability, CISA added CVE-2025-32975 to the Known Exploited Vulnerabilities catalog on April 20, 2026, with a required action deadline of May 4, 2026, confirming active exploitation against unpatched, internet-exposed appliances.

Exploit Chain

The authentication bypass targets the SSO authentication endpoint of the KACE SMA web interface:

The attacker identifies an internet-exposed KACE SMA management interface (typically reachable on port 443).
A crafted HTTP request is sent to the SSO authentication endpoint with a valid username but without valid credentials. The appliance’s improper authentication logic fails to enforce credential validation for SSO-initiated sessions.
The appliance grants a fully authenticated administrative session for the specified username without verifying the supplied credentials.
The attacker now holds administrative access to the KACE SMA console. From this position, the attacker can execute commands across all managed endpoints, deploy software, create user accounts, or exfiltrate configuration data.

No authentication credentials, pre-existing foothold, or user interaction are required. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) correctly captures the unauthenticated, network-exploitable, and scope-changing nature of the vulnerability.

Detection Guidance

Apply Quest patches immediately: KACE SMA 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), or 14.1.101 (Patch 4).
Audit all active administrator accounts in the KACE SMA console; remove any accounts not recognized by the operations team.
Restrict management interface access to internal networks or VPN; remove public internet exposure of port 443 on KACE SMA appliances.
Review KACE SMA job and scripting logs for commands executed against managed endpoints in the March–April 2026 window.
Alert on SSO authentication events where session grants do not follow normal credential-challenge sequences in web access logs.
Monitor for newly created administrator accounts in KACE SMA audit logs, particularly accounts created outside of change management windows.

Indicators of Compromise

Behavioral and artifact indicators consistent with CVE-2025-32975 exploitation include:

Anomalous SSO-initiated administrative sessions originating from IP addresses outside expected management subnets.
Unauthorized administrator accounts created in the KACE SMA console.
KACE-initiated scripted command execution targeting large numbers of managed endpoints in short succession.
Unusual outbound connections from managed endpoints to external infrastructure following KACE SMA access events.

Disclosure Timeline

2025-05-01 — Vendor patch and advisory published

Quest published a security advisory and released patches for CVE-2025-32975 across KACE SMA versions 13.0, 13.1, 13.2, 14.0, and 14.1. The advisory also addressed three related vulnerabilities (CVE-2025-32976, CVE-2025-32977, CVE-2025-32978) in the same appliance.

2025-06-01 — Full technical disclosure published

Full technical details of the SSO authentication bypass were published to SecLists Full Disclosure, enabling broader reproduction of the exploit by researchers and threat actors.

2026-03-09 — Active exploitation observed

Active exploitation of internet-exposed, unpatched KACE SMA appliances was observed beginning approximately the week of March 9, 2026, as reported by SecurityWeek.

2026-04-20 — CISA KEV listing

CISA added CVE-2025-32975 to the Known Exploited Vulnerabilities catalog, confirming active exploitation and setting a required remediation deadline of May 4, 2026 for U.S. federal civilian executive branch agencies.

Sources & References

Quest: Response to KACE SMA Vulnerabilities CVE-2025-32975 through CVE-2025-32978 — Quest, 2025-05-01
National Vulnerability Database: CVE-2025-32975 — National Vulnerability Database, 2025-05-01
CISA: Known Exploited Vulnerabilities Catalog — CVE-2025-32975 — CISA, 2026-04-20
SecurityWeek: Critical Quest KACE Vulnerability Potentially Exploited in Attacks — SecurityWeek, 2026-03-15