Critical CVE-2025-32975 Flaw in Quest KACE SMA Exploited, Affecting 60 Organizations

Severity: High (Score: 75.0)

Sources: Securityaffairs.Co, Scworld

Summary

The CVE-2025-32975 vulnerability in Quest KACE SMA, an endpoint management platform, has been exploited after remaining unpatched for 10 months. This severe authentication bypass flaw, with a CVSS score of 10.0, allows attackers to impersonate users without credentials. The incident primarily affected HIQ, a managed services provider, leading to the exfiltration of a 512 MB database containing sensitive information from over 60 organizations, including law enforcement and healthcare. Attackers utilized a sophisticated toolkit for reverse shells, command and control, and credential spraying. The vulnerability was published on June 24, 2025, and was added to CISA's KEV list for active exploitation on April 20, 2026. Over 12,000 internet-facing KACE 1000 appliances are potentially vulnerable due to outdated versions. The incident emphasizes the risks of unpatched vendor software in supply chains. Key Points: • CVE-2025-32975 is a critical authentication bypass flaw in Quest KACE SMA. • Attackers exploited the vulnerability to access sensitive data from over 60 organizations. • More than 12,000 KACE appliances are potentially vulnerable due to outdated software.

Key Entities

• Data Breach (attack_type)
• Supply Chain Attack (attack_type)
• HIQ (company)
• Education (company)
• CVE-2025-32975 (cve)
• CWE-287 - Improper Authentication (cwe)
• Healthcare (industry)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• KACE 1000 Appliances (platform)
• Quest KACE SMA (platform)
• Quest KACE Systems Management Appliance (platform)