CVE-2025-32975 represents a severe security vulnerability in Quest KACE Systems Management Appliance (SMA), an on-premises platform widely used for endpoint management tasks such as software deployment, patching, and device administration. Due to its central role in IT environments, a successful compromise of this system can have cascading effects across all endpoints it manages, putting entire organizations at risk.
At its core, the flaw is an authentication bypass vulnerability tied to how KACE SMA processes single sign-on (SSO) authentication. With a maximum CVSS score of 10.0, it allows a remote, unauthenticated attacker to impersonate legitimate users including administrators without needing valid credentials. According to findings from Hunt.io, this means attackers can gain full access simply by interacting with the exposed system over a network.
What makes this vulnerability particularly concerning is not just its technical severity, but how easily it can be exploited if left unpatched. The issue highlights a familiar and troubling pattern in cybersecurity attackers often succeed not through advanced techniques, but by exploiting neglected updates.
Quest released a patch for this vulnerability in May 2025. However, nearly ten months later, numerous systems remained unpatched and easily exploitable. Attackers actively targeted these outdated instances, demonstrating how delayed patching can transform known vulnerabilities into large-scale incidents.
The risk became especially evident in a real-world breach involving a managed services provider (MSP) called HIQ. This provider supported dozens of organizations, meaning that compromising a single KACE SMA instance effectively opened doors to multiple downstream environments. Instead of targeting each organization individually, the attacker leveraged the shared management platform to gain broad access.
In an unusual twist, the attacker inadvertently exposed their own activity. They uploaded a full toolkit to a publicly accessible server without password protection. Hunt.io identified this server within days, revealing the attacker’s tools sitting on a plain HTTP directory, accessible to anyone who discovered it.
The toolkit itself was far from rudimentary. Spanning over 300 MB and consisting of more than 200 files, it covered the entire attack lifecycle. It included reverse shell utilities for initial access, a command-and-control (C2) infrastructure for communication, tools for account creation, credential spraying mechanisms targeting SMB services, Windows Management Instrumentation (WMI) based reconnaissance scripts, and a custom SOCKS5 tunneling solution designed to maintain stealthy, persistent access.
The level of organization and completeness of the toolkit suggested a highly capable and methodical operator rather than a casual attacker.
Following the breach, the attacker extracted a significant data set from the compromised KACE appliance, including a database dump of approximately 512 MB. This data provided a comprehensive view of the MSP’s operations employee accounts, customer details, support tickets, and records of work performed for various sectors, including law enforcement, healthcare providers, educational institutions, and government bodies.
Importantly, the affected organizations were not direct users of KACE SMA. Instead, they were clients of the MSP that relied on the platform, illustrating a classic supply chain risk scenario. Even organizations with strong internal security controls can become victims if a trusted vendor fails to secure critical infrastructure.
Further analysis of the attacker’s tools revealed evidence of additional victims. A reconnaissance script contained embedded credentials linked to an insurance company in Indonesia, suggesting the attacker had already conducted previous compromises and reused stolen data to expand access into other networks.
The attacker also took steps to conceal their identity, leveraging tools such as the Tor Browser and encrypted messaging services. Metadata analysis pointed to the use of a rented virtual private server (VPS) running Windows Server 2019, likely provisioned temporarily for the operation and discarded afterward.
Despite these operational precautions, a broader issue remains: exposure is widespread. Hunt.io identified more than 12,000 internet-facing KACE SMA appliances still running vulnerable versions at the time of analysis. Many of these systems were accessible over both standard and non-standard ports, reinforcing the reality that obscurity does not provide security.
Ultimately, the lesson from CVE-2025-32975 is straightforward but critical. A high-impact vulnerability with a readily available patch remained unaddressed for months, enabling attackers to exploit a central management system and indirectly compromise over 60 associated organizations. These included sensitive sectors such as law enforcement, healthcare, and government entities that were impacted not because of their own security gaps, but because of weaknesses within a trusted service provider.
While the attacker’s toolkit demonstrated sophistication, the initial entry point required none. It was simply an exposed system lacking proper updates effectively an unlocked door on the internet.
For organizations using Quest KACE SMA, the mitigation path is clear. A patch has been available since May 2025. The pressing question is whether it has been applied.
To support defenders, researchers have also released indicators of compromise (IoCs) to help detect potential exploitation and ongoing threats.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
