Quest KACE SMA CVE-2025-32975 exploitation

Summary

Hunt.io reports post-exploitation tooling and victim data exposed from infrastructure tied to exploitation of Quest KACE Systems Management Appliance (SMA) CVE-2025-32975, a critical SSO authentication-bypass flaw. The case is durable because KACE SMA sits on a privileged endpoint-management plane: compromise of the appliance can become compromise of many managed endpoints and downstream customers.

Tags

• ops
• operations
• vulnerability
• exploitation
• edge appliance
• endpoint management
• managed service provider
• C2
• credential spraying
• lateral movement
• CVE-2025-32975
• Quest KACE SMA
• Hunt.io

Why this matters

• Privileged management plane: KACE SMA is used for endpoint inventory, patching, software deployment, scripting, and administrative control. Administrative takeover of the appliance can expose many managed systems.
• Unauthenticated takeover path: NVD describes CVE-2025-32975 as an SSO authentication-handling bypass that lets a network-reachable attacker impersonate legitimate users, including administrators, without valid credentials.
• Downstream blast radius: Hunt.io says the exposed data showed a Boston-area managed IT services provider appliance managing endpoints for more than 60 client organizations across public-sector and private-sector environments. Do not treat a KACE SMA compromise as single-host scope.
• Old patch, active exposure: Quest published fixed builds in May 2025; Hunt.io says exploitation was observed in March 2026 and that its scan data still found more than 12,000 internet-facing K1000 appliances exposing vulnerable pre-patch version strings.

Public reporting

• Quest says CVE-2025-32975 and related KACE SMA vulnerabilities are resolved in 13.0.385, 13.1.81, 13.2.183, 14.0.341 Patch 5, and 14.1.101 Patch 4.
• NVD / CISA-ADP list the flaw as CVSS 10.0 critical and describe complete administrative takeover through the SSO authentication mechanism.
• Hunt.io reports that its AttackCapture system recorded an open directory at 216.126.225[.]156:8000 on March 12, 2026, three days after first observed exploitation activity cited in the report.
• Hunt.io says the exposed directory held 219 files across 36 directories totaling 308 MB, including reverse-shell code, a bidirectional file server, account-creation scripts, SMB credential-spraying logic, WMI reconnaissance, Earthworm / SOCKS5 tunneling components, Netcat, NetBIOS scanning, Tor Browser, and a sql.zip victim-data archive.
• Hunt.io also found six Next.js prototype-pollution exploit payloads in the same operator staging area, suggesting the actor was pursuing more than one public-facing initial-access vector.

Intrusion shape

1. Exploit internet-facing KACE SMA through CVE-2025-32975 to gain administrative control without valid credentials.
2. Stage a centralized toolkit on attacker infrastructure for file transfer, reverse shelling, account creation, reconnaissance, and lateral movement.
3. Use WMI / SMB workflows to enumerate domain computers, users, disks, admin shares, and credential validity.
4. Establish covert access through tunneling / proxy components such as Earthworm and a custom TCP-multiplexed SOCKS5 path.
5. Collect appliance database material and managed-endpoint metadata, expanding the response problem to MSP customers or other downstream organizations managed by the appliance.

Defender notes

• Upgrade KACE SMA to Quest’s fixed builds or later. Pay special attention to 13.x appliances: Quest says the 13.x security hotfix must be re-applied after full 13.x upgrades to remain secure.
• Inventory all internet-facing KACE SMA / K1000 services, including non-standard ports. Do not rely only on standard management-plane exposure assumptions.
• If a vulnerable appliance was internet-facing after May 2025, review it as potentially compromised, especially around March 2026 and later.
• Preserve and review KACE appliance logs, admin-user changes, appliance database access, uploaded scripts, patch/deployment jobs, and outbound connections from the appliance to unfamiliar infrastructure.
• Hunt for tooling patterns reported by Hunt.io: unexpected AddUser.ps1, cm_disk.ps1, smb.py, rs.py, uploadserver.py, print_param.py, Earthworm / EWhere64.exe, nbtscan, nc.exe, SOCKS5 tunnel scripts, Tor Browser staging, and connections to 216.126.225[.]156:8000.
• In MSP or shared-management contexts, scope response to managed endpoints and downstream tenants/customers. Avoid publishing exposed client names or personal data from leaked operator directories.

Sources

• Hunt.io — CVE-2025-32975: The Open Directory Behind the KACE SMA Breach and 60+ Downstream Victims: https://hunt.io/blog/cve-2025-32975-quest-kace-sma-open-directory-60-victims
• Quest — Quest Response to KACE SMA Vulnerabilities: CVE-2025-32975, CVE-2025-32976, CVE-2025-32977, CVE-2025-32978: https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978
• NVD — CVE-2025-32975: https://nvd.nist.gov/vuln/detail/CVE-2025-32975