A critical (CVSS 10.0) authentication bypass in Quest KACE Systems Management Appliance lets unauthenticated attackers impersonate legitimate users and seize complete administrative control of the appliance.
What Is It
CVE-2025-32975 is an improper authentication vulnerability (CWE-287) in the SSO authentication handling mechanism of Quest KACE Systems Management Appliance (SMA). The flaw allows attackers to impersonate legitimate users without valid credentials, leading to complete administrative takeover of the appliance.
The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, network-reachable, low complexity, no privileges, no user interaction, with a scope change and high impact across confidentiality, integrity, and availability. It scores the maximum 10.0.
Why It Matters
KACE SMA is an endpoint management platform; it inventories, patches, and pushes software to managed devices across an organization. Administrative takeover of the appliance hands an attacker a trusted distribution channel into every endpoint it manages.
CISA added CVE-2025-32975 to the Known Exploited Vulnerabilities catalog on 2026-04-20, confirming active exploitation in the wild. Known ransomware campaign use is currently listed as Unknown.
What's Vulnerable
Quest KACE Systems Management Appliance (SMA), in the following branches:
- 13.0.x before 13.0.385
- 13.1.x before 13.1.81
- 13.2.x before 13.2.183
- 14.0.x before 14.0.341 (Patch 5)
- 14.1.x before 14.1.101 (Patch 4)
Patch Status
Quest has published fixed versions for every affected branch (listed above) in KB 4379499. CISA's required action under BOD 22-01 is to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The federal due date is 2026-05-04.