Quest KACE SMA Critical Vulnerability CVE-2025-32975 Exposes 60 Organizations to Directory Traversal Attacks
- May 13
- 2 min read
Key Findings
CVE-2025-32975 is a critical authentication bypass vulnerability in Quest KACE SMA with a maximum CVSS score of 10.0
An unpatched instance at managed services provider HIQ was exploited to compromise over 60 downstream organizations across law enforcement, healthcare, education, and government
The attacker left a 308 MB toolkit and 512 MB database dump publicly accessible on an unprotected HTTP server for three days
Over 12,000 internet-facing KACE appliances are running vulnerable versions, including those hidden on non-standard ports
The compromise demonstrates significant supply chain risk where clients had no control over the security failures of their MSP
Background
Quest KACE Systems Management Appliance is a centralized endpoint management platform used by IT teams to deploy software, manage patches, and control devices across their organizations. Its role as a central console makes it a high-value target, because a single compromise can expose every managed endpoint across multiple client networks. The vulnerability in question is an authentication bypass in KACE SMA's SSO authentication handling that allows unauthenticated attackers to impersonate any user, including administrators, without supplying credentials. Quest released a patch in May 2025, but by March 2026, attackers were actively exploiting unpatched instances.
The Breach
Attackers compromised HIQ, a managed services provider handling IT for dozens of organizations in the Boston area. Using the authentication bypass to gain initial access to their unpatched KACE appliance, the attackers gained complete visibility into HIQ's entire customer base and operations. Rather than covering their tracks, they staged their complete toolkit on a server with no password protection on the directory structure. Hunt.io's scanning infrastructure discovered the exposed materials within three days.
The Toolkit and Scope
The exfiltrated data included a 308 MB toolkit spanning 219 files with a complete intrusion lifecycle. The toolkit contained reverse shells, a bidirectional command-and-control file server, account creation utilities, SMB credential sprayers, WMI reconnaissance tools, and a custom TCP-multiplexed SOCKS5 tunnel for persistent network access. The attackers also extracted a 512 MB MariaDB database dump containing the complete operational picture of HIQ's business, including staff accounts, client lists, and helpdesk tickets describing work performed at police departments, schools, healthcare organizations, and local government agencies.
The Supply Chain Risk
The exfiltrated data revealed managed endpoints for over 60 named client organizations. None of these organizations had any direct relationship with KACE SMA or knowledge of HIQ's infrastructure choices. They were simply clients of the compromised MSP. The breach exposed organizations across law enforcement, government, healthcare, education, and the private sector to attackers who had gained administrator-level access through a vulnerability they did not create and could not control. Traces in the toolkit also point to at least two other victims beyond HIQ, including hardcoded credentials for an Indonesian insurance company that were harvested in previous compromises and reused for lateral movement.
The Wider Exposure
Hunt.io's scan data reveals more than 12,000 KACE K1000 appliances currently internet-facing and disclosing version strings that predate the May 2025 patch. These vulnerable instances are accessible across standard and non-standard ports, meaning that attempting to hide the appliance on a non-standard port provides no meaningful protection. The scale of exposure suggests that this vulnerability has likely been exploited well beyond the single known MSP breach, with additional compromises potentially remaining undiscovered.
Sources
https://securityaffairs.com/192067/security/quest-kace-sma-flaw-cve-2025-32975-when-one-unpatched-tool-opens-the-door-to-60-organizations.html
https://x.com/Huntio/status/2054252496407650621
https://www.reddit.com/r/pwnhub/comments/1tb900u/cve202532975_the_open_directory_behind_the_kace/

Comments