CVE-2025-32975
📋 TL;DR
This CVE describes an authentication bypass vulnerability in Quest KACE Systems Management Appliance that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover. Affected systems include Quest KACE SMA versions 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4).
💻 Affected Systems
- Quest KACE Systems Management Appliance (SMA)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete administrative takeover of the KACE SMA appliance, allowing attackers to deploy malware, exfiltrate sensitive data, and pivot to other network systems.
Likely Case
Unauthorized access to the management interface leading to privilege escalation, configuration changes, and potential lateral movement within the network.
If Mitigated
Limited impact if network segmentation and access controls prevent external access to the management interface.
🎯 Exploit Status
Public disclosure includes technical details that could be weaponized. The vulnerability requires no authentication to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), 14.1.101 (Patch 4)
Vendor Advisory: https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Quest support portal. 2. Backup current configuration. 3. Apply the patch following Quest's documentation. 4. Restart the appliance. 5. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Disable SSO Authentication
allTemporarily disable SSO authentication to prevent exploitation of this vulnerability.
Navigate to KACE SMA web interface > Settings > Security > Authentication > Disable SSO
Network Access Restriction
allRestrict network access to KACE SMA management interface to trusted IP addresses only.
Configure firewall rules to allow only specific source IPs to access KACE SMA ports (typically 443/HTTPS)
🧯 If You Can't Patch
- Immediately restrict network access to the KACE SMA appliance using firewall rules to allow only trusted administrative IPs.
- Disable SSO authentication and use local authentication only until patching can be performed.
🔍 How to Verify
Check if Vulnerable:
Check the KACE SMA version in the web interface under Help > About. Compare against affected versions listed in the advisory.Check Version:
Access KACE SMA web interface and navigate to Help > About to view version information.Verify Fix Applied:
Verify the version shows a patched version (13.0.385, 13.1.81, 13.2.183, 14.0.341, or 14.1.101 or later). Test SSO authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts via SSO
- Multiple failed SSO login attempts followed by successful login from unexpected IP
- Administrative actions from non-standard user accounts
Network Indicators:
- HTTP requests to SSO authentication endpoints from unexpected sources
- Unusual traffic patterns to KACE SMA management interface
SIEM Query:
source="kace-sma" AND (event_type="authentication" AND result="success" AND auth_method="sso") | stats count by src_ip, user | where count > threshold