Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems

In the world of cybersecurity, a CVSS 10.0 score is a red flag of the highest degree, signifying a critical flaw that requires neither physical access nor advanced privileges from an attacker. This is exactly the situation currently facing administrators of Quest KACE Systems Management Appliance (SMA) systems. Hacking groups have begun mass scanning networks for unpatched units, exploiting the CVE-2025-32975 vulnerability to take full control of endpoint management infrastructure.

The first signals of active exploitation appeared in March 2026, when researchers from Arctic Wolf noted suspicious traffic in the environments of clients with SMA systems exposed directly to the public internet. The scale of the threat is significant because Quest KACE SMA is a powerful tool used for hardware inventory, software distribution, and patching operating systems. In the hands of cybercriminals, it becomes an ideal tool for distributing ransomware or exfiltrating data on a massive scale.

Anatomy of a critical flaw at the heart of infrastructure

The CVE-2025-32975 vulnerability involves a Remote Code Execution (RCE) flaw that allows an unauthenticated attacker to execute arbitrary commands with system privileges. In practice, this means an attacker can bypass login mechanisms and gain access to the administrative panel with the highest privileges. Since SMA is designed to have broad access to all devices in the corporate network, taking over this single point gives attackers the "keys to the kingdom."

Experts indicate that the attack vector relies on improper input validation at one of the device's publicly accessible API endpoints. Threat Actors exploit this flaw to inject malicious code, which is then executed by the server. Preliminary analysis of the incidents suggests the following attack sequence:

• Port scanning in search of active Quest KACE SMA instances.
• Sending a specially crafted HTTP request to the vulnerable web component.
• Launching a reverse shell, giving the attacker interactive access to the server's command line.
• Utilizing built-in SMA functions to distribute malicious scripts to employee workstations.

Why traditional security failed

Most organizations affected by the attacks relied on a traditional perimeter security model, where management devices are protected only by simple firewall rules or exposed directly to the network to facilitate remote work. In the era of Zero Trust, such an approach is extremely risky. Attackers can instantly identify vulnerabilities in legacy software and exploit them before IT departments can complete a testing and patch deployment cycle.

The problem is compounded by the fact that many SMA systems were not regularly updated due to fears of downtime in technical departments. Meanwhile, Quest has already released appropriate patches, yet the pace of their implementation in global organizations remains unsatisfactory. A lack of network segmentation means that after breaching the SMA barrier, hackers can freely perform lateral movement across the entire infrastructure, reaching databases and backup servers.

"When a tool designed to secure a network becomes its weakest link, we are dealing with a security paradox that requires an immediate change in access architecture."

The necessity of moving to a ZTNA model

The CVE-2025-32975 incident serves as the ultimate argument for abandoning outdated VPN solutions in favor of Zero Trust Network Access (ZTNA). Traditional VPNs often grant overly broad network access after successful authentication, whereas ZTNA applies the principle of least privilege. In a modern model, even if a device like Quest KACE SMA has a vulnerability, it should not be visible to anyone outside a narrow group of authorized administrators, and certainly not to the entire internet.

Key benefits of implementing Comprehensive ZTNA in the context of protecting management systems include:

• Resource Hiding: SMA systems become invisible to public scanners, preventing attackers from discovering them.
• Identity and Context Verification: Access to the management panel is granted based not only on a password but also on the security posture of the administrator's device and their location.
• Microsegmentation: Limiting SMA communication exclusively to the necessary ports and protocols required for endpoint management, which blocks lateral movement attempts.

The forced evolution of digital hygiene

The current campaign targeting Quest KACE SMA users is not an isolated case but part of a broader trend of targeting infrastructure management software (RMM/SMA). For cybercriminals, this is the most profitable target—one successful exploit allows for the infection of thousands of endpoint machines. Organizations must stop treating system patching as an optional or secondary process. In the case of 10.0 CVSS flaws, a response time measured in days is already a delayed action.

It can be assumed with high certainty that in the coming months, we will see a surge of similar vulnerabilities in other popular Enterprise-class systems. The only effective defense strategy is to assume that every application may be vulnerable and to surround it with security layers that prevent access to anyone without explicit authorization. The era of the "trusted internal network" has definitively come to an end, and this year's attacks on SMA are the most brutal proof of that.