All posts
2026-04-23 cve-analysis auth-bypass endpoint-management actively exploited

CVE-2025-32975: Quest KACE SMA Admin Takeover

A flaw in the Single Sign-On authentication handler of Quest KACE Systems Management Appliance lets any remote attacker impersonate arbitrary users without knowing their credentials — obtaining full administrative access to the endpoint management control plane, with in-the-wild exploitation confirmed from March 2026 onwards.

CVECVE-2025-32975
CVSS10.0 Critical
AffectedKACE SMA 13.0–14.1 (multiple patch levels)
Auth requiredNone
PatchedMay 2025 — CISA KEV April 20, 2026

Overview

Quest KACE Systems Management Appliance (SMA) is an enterprise endpoint management platform used extensively in corporate and government environments to manage software deployment, patch distribution, asset inventory, and helpdesk operations across thousands of endpoints from a single pane of glass. That privileged position makes it an extremely high-value target.

CVE-2025-32975 is a complete authentication bypass in KACE SMA's Single Sign-On handling, achieving the theoretical maximum CVSS score of 10.0. An unauthenticated remote attacker can impersonate any valid user on the appliance — including the default admin account — without ever knowing a password. The initial disclosure was in June 2025; active exploitation was confirmed in enterprise environments from March 2026 onward, triggering CISA's KEV listing on April 20, 2026.

Observed post-exploitation activity included attackers using KACE's native KPluginRunProcess functionality to execute arbitrary commands across all managed endpoints, dropping Mimikatz for credential harvesting, and using the appliance's existing network visibility to move laterally — all from a starting point of zero credentials.

The SSO Authentication Bypass

KACE SMA supports Single Sign-On integration to allow seamless authentication for users already authenticated to a corporate identity provider. The flaw lies in how the SSO authentication flow validates the user identity token before establishing an authenticated session.

Technical Root Cause

In the vulnerable versions, the SSO handler fails to adequately verify the integrity or origin of the identity token supplied during the SSO callback. An attacker can craft a forged SSO authentication request specifying an arbitrary username — typically admin — in the identity token. The appliance accepts this at face value, establishes a fully authenticated session for that user, and issues a valid session cookie.

Critically, KACE SMA does not require the SSO token to be signed by a trusted identity provider in the affected code path. The entire trust model of the SSO integration collapses because the appliance trusts the client to assert its own identity — the classic confused deputy pattern in authentication systems. 

# Simplified exploit — forge an SSO token asserting admin identity
# Attacker sends a crafted POST to the SSO callback endpoint:

POST /userui/index.php?m=Login&action=SSOLogin HTTP/1.1
Host: kace-sma.target.corp
Content-Type: application/x-www-form-urlencoded

sso_user=admin&sso_token=[forged_or_empty_token]

# Response: 302 redirect with a fully-authenticated admin session cookie
# No brute-force, no credentials, no prior access required

Why the Bypass Matters Beyond KACE

KACE SMA typically holds credentials for managed endpoints, stores software deployment scripts with administrative privileges, and has direct agent-based access to every managed device in the estate. Compromising the KACE admin interface is not a single-host compromise — it is a key to the entire endpoint fleet. Threat actors exploiting this vulnerability did not stop at KACE; they used the appliance as a jump point to deploy tooling fleet-wide within minutes of gaining access.

In-the-Wild Exploitation

The vulnerability was patched in May 2025, but a significant proportion of KACE SMA deployments remained unpatched when exploitation began in earnest the following year. From the week of 9 March 2026, Arctic Wolf and other MDR vendors began observing suspicious activity in customer environments consistent with CVE-2025-32975 exploitation on internet-exposed KACE appliances.

Observed post-compromise tactics included:

Affected Versions

All versions prior to the following patch levels are vulnerable:

Remediation

  1. Apply the relevant patch immediately. This vulnerability has been actively exploited for weeks — there is no justification for delay.
  2. Remove KACE SMA from internet exposure. Management appliances of this nature should never be directly reachable from the internet. Place behind VPN and restrict access to management network segments.
  3. After patching, audit all administrator accounts for accounts created since March 2026 that were not provisioned by your team.
  4. Review KACE script execution and deployment logs from March 2026 onward for commands or packages deployed that are outside your change management baseline.
  5. Assume compromise and rotate all credentials stored in or accessible from KACE — service account passwords, deployment credentials, and any API keys held in managed scripts.
  6. Conduct endpoint-level threat hunting across the managed fleet for Mimikatz artefacts, new local administrator accounts, and anomalous outbound connections originating in the March–April 2026 window.

Detection

References