A critical flaw tracked as CVE-2025-32975 targets Quest Software KACE Systems Management Appliance. Attackers exploit this issue to bypass login and take control. This matters because many organizations expose these systems to the internet.
Researchers observed suspicious activity in early March 2026. Attackers likely used this vulnerability to gain initial access. However, the flaw received a patch in 2025. Still, unpatched systems remained vulnerable and easy to target.
CVE-2025-32975 attack method explained
Attackers used the flaw to bypass SSO authentication checks. Next, they impersonated valid users without credentials. As a result, they gained full administrative access to the system.
Meanwhile, attackers executed commands using built-in tools. They ran encoded payloads and downloaded files from remote servers. Then, they created new admin accounts to maintain control. In addition, they used PowerShell scripts to stay hidden and persistent.
Impact and exposed systems
The attack allowed full system takeover and deep network access. Also, attackers used tools like Mimikatz to steal credentials. As a result, they mapped users, groups, and domain structure.
Next, attackers moved laterally across the network. They accessed backup systems and domain controllers through RDP. However, this activity mainly affected systems exposed to the internet. Organizations with poor patching faced higher risk.
Response and what comes next
Experts urge organizations to patch CVE-2025-32975 immediately. Updating to the latest version blocks known attack paths. In addition, teams should remove public access to KACE SMA systems.
Admins should restrict access using VPNs or firewalls. Also, they should monitor unusual admin activity and login attempts. For example, sudden account creation may signal compromise. Finally, this case shows how delayed patching can expose critical infrastructure.
No Comment! Be the first one.