Critical CVSS 10.0 Flaw (CVE-2025-32975) Actively Exploited to Compromise KACE SMA Systems

A serious cybersecurity issue has come up that organizations cannot ignore. A critical vulnerability called CVE-2025-32975, with a CVSS score of 10.0, is now being actively exploited. The attacks are targeting unpatched Quest KACE Systems Management Appliance (SMA) devices. This makes it a high-risk situation for companies using these systems.

Security researchers have confirmed that these attacks started in early March 2026. This means the threat is real and already happening in active environments. Hackers are scanning systems and finding devices that have not been updated. Once found, these systems become easy targets for exploitation.

The vulnerability is an authentication bypass issue, which makes it extremely dangerous. In simple terms, attackers can log in without valid credentials. They can impersonate legitimate users and gain full administrative access. This allows complete control over the affected system.

The flaw exists in the Single Sign-On (SSO) authentication mechanism. Because of this, attackers do not need any prior access or user interaction. They can directly target exposed systems over the internet. This significantly increases the risk for organizations with publicly accessible SMA devices.

The attack process is simple but very effective. Hackers look for internet-facing, unpatched SMA systems and exploit them. Once inside, they gain admin access and start executing remote commands. They also download malicious tools to strengthen their control over the system.

After gaining access, attackers perform multiple post-exploitation activities. They use tools like Mimikatz to steal credentials from the system. They also check user accounts, admin groups, and system configurations. In some cases, they create new administrator accounts to maintain long-term access.

Attackers have also been seen modifying the Windows Registry using PowerShell. They attempt to move deeper into the network by accessing RDP systems and backup servers. In some cases, they even target domain controllers. This shows that the goal is often full enterprise compromise.

This vulnerability was already patched by Quest in May 2025, but many systems remain unpatched. Secure versions have been released, and updating is critical to stay protected. Experts strongly recommend applying patches immediately and monitoring systems closely. The key takeaway is simple: if a system is not patched, it is already at risk.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news