CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-32975

CVSS 10.0v3.1pub. 2025-06-24upd. 2026-04-21

Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.

🤖 AI Analysis
How it works

The vulnerability (CWE-287 — improper authentication) lies in the SSO (Single Sign-On) authentication handling mechanism. An attacker, remotely and without any privileges or user interaction, can craft a request that will be incorrectly treated by the system as coming from an authenticated user. As a result, the attacker is able to successfully impersonate any user, including an administrator, without knowing their password or other authentication credentials.

Impact

An attacker can obtain full administrative privileges over the KACE SMA device, which consequently gives them control over managed IT resources — complete takeover of infrastructure management system (compromise of confidentiality, integrity, and availability).

Mitigation & patch

Quest KACE SMA must be immediately updated to version: 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5) or 14.1.101 (Patch 4) in accordance with the vendor's advisory available at: https://support.quest.com/kb/4379499. Until the patch is applied, it is recommended to restrict access to the management interface only to trusted networks.

Who is affected

Quest KACE Systems Management Appliance (SMA) in versions: 13.0.x prior to 13.0.385, 13.1.x prior to 13.1.81, 13.2.x prior to 13.2.183, 14.0.x prior to 14.0.341 (Patch 5), and 14.1.x prior to 14.1.101 (Patch 4)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Quest Kace Systems Management Appliance

    APP
    Quest
    13.0 – 13.0.385 (bez)13.1 – 13.1.81 (bez)13.2 – 13.2.183 (bez)14.0 – 14.0.341 (bez)14.1 – 14.1.101 (bez)

CISA KEV — detailsi

Vendori
Quest
Producti
KACE Systems Management Appliance (SMA)
Added to KEVi
April 20, 2026
Remediation deadline (US Federal)i
May 4, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 4 maja 2026
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2022-29807CRITICAL9.8ten sam produkt

A SQL injection vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.0 that ca...

CVE-2022-30285CRITICAL9.8ten sam produkt

In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authenticat...

CVE-2019-12918CRITICAL9.8ten sam produkt

Quest KACE Systems Management Appliance Server Center version 9.1.317 is vulnerable to SQL injection. The affe...

CVE-2017-12567CRITICAL9.8ten sam produkt

SQL injection exists in Quest KACE Asset Management Appliance 6.4.120822 through 7.2, Systems Management Appli...

CVE-2022-29808HIGH7.5ten sam produkt

In Quest KACE Systems Management Appliance (SMA) through 12.0, predictable token generation occurs when applia...