Executive Summary
In March 2026, threat actors exploited a critical authentication bypass vulnerability (CVE-2025-32975) in unpatched Quest KACE Systems Management Appliances (SMA). This flaw, residing in the Single Sign-On (SSO) mechanism, allowed attackers to impersonate legitimate users without valid credentials, leading to potential administrative control over affected systems. The vulnerability was initially identified in June 2025, with patches released shortly thereafter. However, organizations that delayed applying these updates remained susceptible to exploitation.
This incident underscores the persistent risk posed by unpatched vulnerabilities, even after fixes are made available. It highlights the importance of timely patch management and continuous monitoring to prevent exploitation of known security flaws.
Why This Matters Now
The exploitation of CVE-2025-32975 in March 2026 demonstrates that unpatched vulnerabilities can be leveraged by attackers long after patches are released. Organizations must prioritize timely updates and robust vulnerability management to mitigate such risks.
Attack Path Analysis
An attacker exploited CVE-2025-32975 to bypass authentication on an unpatched Quest KACE SMA system, gaining administrative access. They escalated privileges by exploiting the administrative control obtained through the authentication bypass. The attacker moved laterally within the network, accessing other systems managed by the compromised SMA. They established command and control channels to maintain persistent access. Sensitive data was exfiltrated from the compromised systems. The attacker deployed ransomware, encrypting critical data and disrupting operations.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited CVE-2025-32975, an authentication bypass vulnerability in the Quest KACE SMA, to gain unauthorized administrative access.
Related CVEs
CVE-2025-32975
CVSS 10An authentication bypass vulnerability in Quest KACE Systems Management Appliance (SMA) allows attackers to impersonate legitimate users without valid credentials, potentially leading to complete administrative takeover.
Affected Products:
Quest KACE Systems Management Appliance (SMA) – 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), 14.1.x before 14.1.101 (Patch 4)
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Create Account
Local Accounts
Cloud Accounts
Account Manipulation
Modify Authentication Process
Default Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Quest KACE SMA systems widely deployed for IT management face critical remote code execution risks, requiring immediate patching and network segmentation.
Health Care / Life Sciences
Healthcare IT infrastructure using KACE systems vulnerable to HIPAA compliance violations through lateral movement and potential patient data exfiltration.
Financial Services
Financial institutions with exposed KACE appliances risk regulatory non-compliance and sensitive financial data compromise through unencrypted traffic interception.
Higher Education/Acadamia
Educational institutions' extensive IT management systems create broad attack surfaces for threat actors exploiting unpatched KACE vulnerabilities.
Sources
- Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systemshttps://thehackernews.com/2026/03/hackers-exploit-cve-2025-32975-cvss-100.htmlVerified
- Quest Response to KACE SMA Vulnerabilities: CVE-2025-32975, CVE-2025-32976, CVE-2025-32977, CVE-2025-32978https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978Verified
- NVD - CVE-2025-32975https://nvd.nist.gov/vuln/detail/CVE-2025-32975Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not have prevented the initial exploitation, it could have limited the attacker's ability to escalate privileges by enforcing strict access controls.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could have limited the attacker's ability to escalate privileges by enforcing strict access controls and segmenting administrative functions.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could have restricted the attacker's lateral movement by enforcing segmentation policies between workloads.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could have detected and constrained unauthorized command and control communications.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could have limited data exfiltration by controlling and monitoring outbound traffic.
While Aviatrix Zero Trust CNSF may not have prevented the deployment of ransomware, it could have limited the spread and impact by enforcing segmentation and access controls.
Impact at a Glance
Affected Business Functions
- IT Asset Management
- Software Deployment
- Patch Management
- Service Desk Operations
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of administrative credentials and sensitive configuration data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic, preventing unauthorized lateral movement.
- • Utilize Egress Security & Policy Enforcement to control outbound traffic and detect data exfiltration attempts.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to remediate known vulnerabilities like CVE-2025-32975.
