Key Findings CVE-2025-32975 is a critical authentication bypass vulnerability in Quest KACE SMA with a maximum CVSS score of 10.0 An unpatched instance at managed services provider HIQ was exploited to compromise over 60 downstream organizations across law enforcement, healthcare, education, and government The attacker left a 308 MB toolkit and 512 MB database dump publicly accessible on an unprotected HTTP server for three days Over 12,000 internet-facing KACE appliances are