Vulnerability Analysis

CVE-2025-32975: Quest KACE SMA SSO Auth Bypass — CVSS 10.0 Actively Exploited, Full Admin Takeover

Executive Summary

CVE-2025-32975 is a CVSS 10.0 authentication bypass vulnerability in Quest KACE Systems Management Appliance (SMA) that allows unauthenticated remote attackers to completely impersonate any valid user — including administrators — through a flaw in the SSO authentication mechanism. Active exploitation was observed starting the week of March 9, 2026, with threat actors harvesting credentials via Mimikatz, establishing C2 channels, and pivoting to backup infrastructure and domain controllers. Organizations running unpatched KACE SMA instances exposed to the internet must treat this as an emergency — patch immediately or isolate the appliance behind a VPN/firewall.

1. What Is This Vulnerability?

Quest KACE SMA is a widely deployed IT endpoint management platform used by enterprises for software distribution, patch management, inventory, and help desk functions. Because it holds privileged access to thousands of endpoints across an organization's network, it represents a high-value target for attackers.

CVE-2025-32975 exploits a fundamental flaw in how KACE SMA validates Single Sign-On (SSO) authentication requests. The vulnerability is classified under CWE-287 (Improper Authentication) — the application fails to properly verify that an SSO assertion or token genuinely comes from an authorized identity provider (IdP). By crafting a specially formed SSO request that spoofs or bypasses the verification step, an attacker can authenticate as any known username with zero actual credentials.

The result: complete unauthenticated access to the KACE SMA admin console.

Attack Vector

The attack requires only network access to the KACE SMA appliance — no credentials, no privileges, no user interaction needed. An attacker:

  1. Identifies an internet-facing or network-accessible KACE SMA appliance.
  2. Crafts a malicious HTTP request targeting the SSO authentication endpoint.
  3. The appliance fails to verify the authenticity of the SSO assertion and accepts the request.
  4. The attacker receives a fully authenticated administrative session.

Because KACE SMA is often used with elevated network-level trust (it manages patches and software across all endpoints), the blast radius once compromised is enormous.

Real-World Impact

Active exploitation was confirmed by Arctic Wolf beginning March 9, 2026. Observed attacker behavior in compromised environments included:

  • Abuse of KACE's native KPluginRunProcess and runkbot.exe functionality to execute arbitrary remote commands under the KACE service context.
  • Delivery of Base64-encoded payloads via curl from the C2 IP 216[.]126[.]225[.]156.
  • Credential harvesting using Mimikatz, often renamed asd.exe to evade detection.
  • Execution of malicious scripts (Enable-UpdateServices.ps1, taskband.ps1) via PowerShell with registry modifications.
  • Creation of rogue administrative accounts added to privileged groups.
  • Lateral movement via RDP into backup infrastructure (Veeam, Veritas) and domain controllers.

This is not theoretical — systems are actively being compromised and used as launchpads for domain-wide attacks.

2. Who Is Affected?

Affected Products and Versions:

Branch Vulnerable Versions Fixed Version
KACE SMA 13.0.x All versions before 13.0.385 13.0.385
KACE SMA 13.1.x All versions before 13.1.81 13.1.81
KACE SMA 13.2.x All versions before 13.2.183 13.2.183
KACE SMA 14.0.x All versions before 14.0.341 (Patch 5) 14.0.341 (Patch 5)
KACE SMA 14.1.x All versions before 14.1.101 (Patch 4) 14.1.101 (Patch 4)

At greatest risk: Organizations running KACE SMA with the management interface exposed directly to the internet or with SSO enabled. Environments where KACE SMA holds domain admin-equivalent access are at extreme risk of full domain compromise post-exploitation.

CISA has added CVE-2025-32975 to its Known Exploited Vulnerabilities (KEV) Catalog, and federal agencies face mandatory remediation deadlines of April 23 and May 4, 2026.

3. How to Detect It (Testing)

Manual Testing Steps

Step 1 — Determine KACE SMA exposure: Check if the appliance's admin portal (typically port 443 or port 80) is reachable from the internet or untrusted networks. Run an external port scan or use Shodan/Censys to search for your appliance's public IP.

Step 2 — Check current version: Log into the KACE SMA admin console → navigate to Settings → Appliance Settings → Appliance Details. Note the firmware/build version and compare against the fixed versions table above.

Step 3 — Review audit logs for signs of compromise: In the KACE SMA admin console, navigate to Reporting → Audit Log. Look for:

  • Administrative login events from unknown or unexpected IP addresses.
  • SSO authentication events that have no corresponding activity in your identity provider logs.
  • Account creation events you did not initiate.
  • Script or command execution events (especially Base64-encoded content).

Step 4 — Check for rogue admin accounts: Navigate to Settings → Users and Groups → Administrators and verify all listed admin accounts are expected and authorized.

Automated Scanning

Nessus / Tenable:

  • Tenable Plugin ID: Search for Quest KACE SMA in Tenable's vulnerability database for the relevant unauthenticated check.
  • Run authenticated scans pointing at your KACE SMA appliance to confirm the build version.

Nuclei (ProjectDiscovery): If a community template exists for CVE-2025-32975, run:

nuclei -u https://your-kace-sma-host -t cves/2025/CVE-2025-32975.yaml

Shodan/Censys (exposure check): Search for Quest KACE or the appliance's hostname/IP to confirm external exposure:

shodan search "Quest KACE SMA" country:US

Network-level detection — SIEM/IDS rules: Watch for anomalous HTTP POST requests to SSO-related endpoints on the KACE SMA host from external IPs.

Code Review Checklist (for KACE SMA integrators)

  • Confirm SSO is configured to validate IdP-signed assertions cryptographically, not just by token presence.
  • Verify the KACE SMA appliance's IdP metadata is current and points to your legitimate provider.
  • Ensure no custom scripts or API integrations bypass the authentication layer.
  • Audit all administrative accounts — remove any not explicitly provisioned by your team.

4. How to Fix It (Mitigation)

Step-by-Step Remediation

1. Identify your current KACE SMA version. Log in to the admin console → Settings → Appliance Settings → Appliance Details. Note the exact build number.

2. Download the appropriate patch. Visit the Quest KACE support portal and download the security hotfix or updated build for your branch:

  • 13.0 → Update to 13.0.385
  • 13.1 → Update to 13.1.81
  • 13.2 → Update to 13.2.183
  • 14.0 → Apply Patch 5 (14.0.341)
  • 14.1 → Apply Patch 4 (14.1.101)

3. Apply the patch during a maintenance window. Follow Quest's standard upgrade procedure. Back up the appliance configuration before patching.

⚠️ Critical caveat for 13.x branches: The security hotfix must be re-applied after any subsequent full 13.x version upgrade. For example, if you upgrade from 13.1.79 → 13.2.182, you must then re-apply the 13.2.183 security fix. Failure to do so leaves the appliance vulnerable again.

4. Restrict network access immediately (if patching cannot happen now). If an emergency maintenance window is not possible, place the KACE SMA admin interface behind a VPN or firewall and block all external access to ports 80 and 443 on the appliance as an interim mitigation.

5. Rotate all credentials stored in or managed by KACE SMA. Assume that if your appliance was internet-exposed and running a vulnerable version, credentials have been harvested. Rotate:

  • KACE SMA admin account passwords
  • Service accounts used by KACE for endpoint management
  • Any credentials stored in KACE's script repositories or distributions

6. Audit and purge rogue admin accounts. Review all administrative accounts and revoke any that cannot be tied to a legitimate provisioning event.

Configuration Hardening

- Disable SSO entirely if it is not actively used.
- Enforce MFA on all administrative accounts (where supported by your IdP).
- Restrict KACE SMA admin console access to management VLANs only via firewall ACL.
- Enable KACE SMA audit logging and forward logs to your SIEM in real time.
- Block outbound connections from the KACE SMA appliance to unexpected external IPs (especially 216[.]126[.]225[.]156).

5. How to Test the Fix (Validation)

Regression Test Scenarios

  • Scenario A — Patch version verification: After patching, confirm the build number in Settings → Appliance Details matches the fixed version for your branch.
  • Scenario B — SSO bypass attempt: Using a crafted SSO request (without valid IdP credentials), attempt to authenticate. A patched system should return an authentication failure, not an administrative session.
  • Scenario C — Legitimate SSO login: Confirm that authorized users can still log in via SSO using valid IdP credentials after the patch is applied.
  • Scenario D — Admin account audit: Verify no unexpected administrative accounts were created prior to or during patching.

Security Test Cases

Test Case 1: Verify vulnerability no longer exists

  • Precondition: Apply the security patch.
  • Steps: Craft an SSO bypass request targeting the authentication endpoint (reproduce the published PoC in a lab environment, not production).
  • Expected Result: The appliance rejects the request with an authentication error (HTTP 401/403). No session token is returned.

Test Case 2: Audit log integrity

  • Precondition: Patch applied, audit logging enabled.
  • Steps: Perform a normal SSO login with valid credentials.
  • Expected Result: Login event is recorded in the audit log with correct username and source IP. Cross-reference against IdP logs to confirm they match.

Test Case 3: Network access restriction

  • Precondition: Firewall ACL applied to restrict admin console access.
  • Steps: Attempt to reach the KACE SMA admin console from an external, untrusted IP.
  • Expected Result: Connection is blocked at the network layer; the admin portal is unreachable.

Automated Tests

Run a Nessus or Qualys scan post-patch targeting the KACE SMA host and verify CVE-2025-32975 is no longer flagged:

# Example with OpenVAS CLI (adjust target and credentials)
omp -u admin -w password --xml "<create_task>
  <name>KACE SMA Post-Patch Validation</name>
  <target><hosts>192.168.1.50</hosts></target>
  <config id='daba56c8-73ec-11df-a475-002264764cea'/>
</create_task>"

6. Prevention & Hardening

Best Practices

Practice 1 — Principle of least exposure for management appliances. IT management platforms like KACE SMA should never be internet-facing. Place them on isolated management VLANs with strict firewall rules allowing only authorized administrator IPs and endpoint agents to connect.

Practice 2 — Patch management for your patch manager. It is an ironic but common failure: the tool responsible for patching endpoints is itself left unpatched. Establish a process to subscribe to Quest KACE security bulletins and treat KACE updates with the same urgency as OS or application patches.

Practice 3 — Monitor for lateral movement from IT management tools. KACE SMA and similar tools (Ivanti, ManageEngine, SCCM) have privileged access to every endpoint they manage. Any unusual process execution, account creation, or external network connection originating from these systems should trigger immediate investigation.

Practice 4 — Backup infrastructure segregation. Observed post-exploitation behavior included lateral movement into Veeam and Veritas backup systems. Ensure backup infrastructure is on separate, tightly controlled network segments with MFA-protected admin access.

Practice 5 — Disable SSO if unused. If SSO is not a required feature in your deployment, disable it at the appliance level. Unused authentication pathways are pure attack surface.

Monitoring & Detection

Configure the following alerts in your SIEM:

Detection Rule Source Trigger
Anomalous SSO auth without IdP log match KACE Audit Log + IdP Logs SSO login to KACE with no corresponding IdP event
New admin account creation KACE Audit Log Any new account added to admin group
Outbound curl from KACE host Network/Firewall Logs Outbound HTTP/S from KACE SMA to unknown external IPs
Base64 process execution Endpoint/KACE Logs Command execution containing /bin/sh -c echo |base64 pattern
Mimikatz signature EDR Process matching Mimikatz signatures on KACE host or managed endpoints
RDP from KACE to domain controllers Network Logs Unexpected RDP (TCP 3389) from KACE SMA IP to DC IPs

Threat hunting query (for Splunk):

index=kace_audit action=SSO_LOGIN
| stats count by src_ip, username, _time
| where NOT src_ip IN ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
| sort - count

Investigate any SSO logins from external IP ranges immediately.

References

Latest from the blog

See all →