CVSS 10.0 authentication bypass on Quest KACE SMA, actual attack confirmed since early March
Contents
What is Quest KACE SMA?
Quest KACE SMA (Systems Management Appliance) is an appliance product that allows corporate IT departments to centrally manage in-house PCs and servers.
-Software distribution/update management
- Batch application of OS patches -Hardware/software inventory collection
- Help desk/ticket management
- Security policy enforcement
This is the control tower that manages all the terminals within the company. Many companies manage hundreds to thousands of endpoints, and if this appliance were hijacked, it would be possible to distribute scripts to all managed devices or remove authentication information all at once. In some cases, the KACE SMA web management screen is published on the Internet, and this is exactly what was targeted in this attack.
Vulnerability Overview
CVE-2025-32975 is an authentication bypass vulnerability in the KACE SMA authentication mechanism. An attacker can impersonate a legitimate user without valid credentials and take full control of an administrator account.
CVSS (Common Vulnerability Scoring System, a standard scoring method that quantifies vulnerability severity on a scale of 0.0 to 10.0) is 10.0. This is the theoretical maximum value, meaning that no authentication is required and complete control is taken away via the network. This highest score is reasonable since it can take over the central device management center without authentication.
Quest claims this vulnerability was fixed in May 2025, but unpatched systems have been exposed to attacks since early March 2026. Arctic Wolf has reported that it has observed active attack activity in customer environments starting the week of March 9, 2026.
Confirmed attack chains
The attack sequence observed by Arctic Wolf is as follows:
graph TD
A[外部C2サーバー<br/>216.126.225.156] -->|curl経由で<br/>Base64ペイロード投下| B[未パッチKACE SMA]
B -->|runkbot.exe実行| C[追加管理アカウント作成]
C -->|Mimikatz実行| D[認証情報窃取]
D -->|PowerShellスクリプト| E[レジストリ改変による永続化]
E -->|バックドア存続| F[継続的アクセス確保]Initial invasion
Abuse of authentication bypass to access KACE SMA’s management screen and gain control of the core of device management.
Payload drop
Obtain and execute the Base64 encoded payload (malicious code body) from the external C2 server (attacker’s control server) 216.126.225[.]156 using the curl command.
Preparation for horizontal expansion
Exploits KACE SMA’s legitimate remote execution tool called “runkbot.exe” to create additional administrative accounts. runkbot.exe is part of KACE SMA’s ability to distribute scripts and software to managed devices. By repurposing this functionality, an attacker can retain administrative privileges even if the original intrusion route is closed.
Credential theft
Run Mimikatz (an attack tool that extracts password hashes and authentication tokens from Windows memory) to steal authentication information. Since KACE SMA handles authentication information for a large number of devices, it is possible to use the information stolen here to spread the information laterally to other systems under its control (expanding the intrusion to other machines within the network).
Persistence
A PowerShell script modifies the Windows registry, allowing the backdoor to persist even after a reboot. This allows attackers to maintain unnoticed access for long periods of time.
Affected versions and fix information
According to the advisory published by Quest, the following versions are affected:
| Branch | Fixed version |
|---|---|
| 14.1.x | 14.1.101 (Patch 4 or later) |
| 14.0.x | 14.0.341 (patch 5 or later) |
| 13.2.x | 13.2.183 and later |
| 13.1.x | 13.1.81 and later |
| 13.0.x | 13.0.385 or later |
Recommended measures
Updating to the corrected version above is a top priority. The patch was released in May 2025, so any environments where it has not been applied should be checked immediately.
The target of this attack was a case in which the KACE SMA’s web management screen was exposed directly to the Internet. The management screen of the device management appliance should be accessible only from the internal network, and external access should be limited to via VPN or springboard server (jump server). You would like to check whether your organization’s KACE SMA is publicly available on Shodan or Censys.
In environments that may have already been compromised, check the KACE SMA administrator logs from March 9th onward for any records of suspicious account creation, communication with 216.126.225[.]156, or suspicious execution of runkbot.exe. Signs of Mimikatz execution include an unusual pattern of event 4624 (logon success) in the Windows Security Log and suspicious access to lsass.exe (a process that holds authentication information). If the number of terminals managed by KACE SMA is large, the scope of damage caused by horizontal spread will expand proportionally, so check for abnormal logons not only on KACE SMA itself but also on managed terminals.