The vulnerability is tracked as CVE-2025-32975 and it may have been exploited in attacks against the education sector.
Arctic Wolf has detected suspicious activity in client networks that appears tied to the exploitation of CVE-2025-32975, a critical authentication bypass flaw affecting unpatched Quest KACE Systems Management Appliance (SMA) instances exposed to the internet.
A critical vulnerability in Quest’s KACE Systems Management Appliance (SMA) has raised fresh concerns across the cybersecurity landscape, as threat actors are suspected of exploiting the flaw to gain unauthorized access and administrative control over affected systems.
KACE SMA, an on-premises solution widely used for centralized endpoint management – including asset inventory, software deployment, patch management, and system monitoring – plays a crucial role in enterprise IT environments. However, its central position also makes it a high-value target for cyber attackers seeking to infiltrate organizational networks.
The vulnerability, identified as CVE-2025-32975, was patched by Quest in May 2025. Despite the availability of a fix, recent findings indicate that attackers may have successfully exploited the flaw in real-world environments. The issue allows unauthenticated threat actors to impersonate legitimate users, potentially leading to full administrative takeover of the appliance.
According to cybersecurity researchers, attackers leveraged CVE-2025-32975 as an initial access vector. Once inside the system, they were able to escalate privileges and gain administrative control, creating significant risks for affected organizations, including data exposure, system manipulation, and lateral movement across networks.
The observed activity is believed to have begun in early March 2026. At this stage, there is no confirmed attribution, and the attackers’ specific objectives remain unclear. While some impacted organizations were identified within the education sector across multiple regions, there is insufficient evidence to confirm whether these entities were deliberately targeted.
Security experts suggest that the attacks were likely opportunistic in nature, particularly because they involved internet-exposed KACE SMA appliances. Systems that remain unpatched or improperly secured are especially vulnerable to such exploitation attempts.
Importantly, additional related vulnerabilities – CVE-2025-32976, CVE-2025-32977, and CVE-2025-32978 – were also addressed in the same patch release. However, current investigations have found no evidence linking these vulnerabilities to the observed attacks, indicating that CVE-2025-32975 remains the primary concern.
This incident underscores the growing importance of proactive vulnerability management, especially for critical infrastructure tools used in endpoint management. As cyber threats continue to evolve, organizations must prioritize timely patching, continuous monitoring, and minimizing exposure of sensitive systems to the public internet.
Security teams are strongly advised to ensure that all KACE SMA instances are updated to the latest patched versions. Failure to do so could leave systems exposed to unauthorized access, operational disruption, and broader cybersecurity risks.
Recommended Cyber News :
- CISA Warns of Actively Exploited Chrome 0-Day Flaws
- OpenClaw AI Agent Security Flaw Risks Data Exfiltration
- LETWESAF Launches Radar-Based Camping Security Alarm for Early Threat Detection
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
