Critical Quest KACE Vulnerability Potentially Exploited in Attacks

A critical security flaw in Quest’s KACE Systems Management Appliance (SMA) is suspected to have been exploited in real-world attacks, raising concerns for organizations relying on the platform for endpoint management. The vulnerability, tracked as CVE-2025-32975, is an authentication bypass issue that allows attackers to gain access without valid credentials.

KACE SMA is widely used by enterprises for managing IT infrastructure, including software deployment, asset tracking, patch management, and system monitoring. Due to its central role in controlling endpoints, successful exploitation of this vulnerability could enable threat actors to take full administrative control of affected systems.

According to cybersecurity firm Arctic Wolf, suspicious activity linked to this flaw has been observed in customer environments, suggesting that attackers may already be leveraging it to gain initial access. In the incidents analyzed, threat actors were able to exploit the vulnerability to impersonate legitimate users and escalate privileges, eventually achieving administrative control over the appliance.

The attacks appear to have started in early March 2026 and have impacted organizations across different regions, with some cases identified in the education sector. However, researchers noted that the attacks may be opportunistic in nature, primarily targeting internet-exposed and unpatched systems rather than a specific industry.

The vulnerability had originally been patched by Quest in May 2025, alongside several related flaws. However, systems that remain unpatched continue to be at high risk, as the flaw can be exploited remotely without authentication and requires minimal effort from attackers.

Security experts are urging organizations to immediately apply available updates, restrict external access to management interfaces, and monitor systems for any unusual activity. As cyber threats continue to evolve, the incident highlights the critical importance of timely patch management and securing internet-facing infrastructure to prevent unauthorized access and potential large-scale compromise.