The critical vulnerability CVE-2025-32975 (CVSS 10.0) in Quest KACE SMA is an authentication bypass flaw allowing unauthenticated attackers to impersonate any user, including administrators. Affected versions are KACE SMA 13.0 through 13.0.384, 13.1 through 13.1.80, 13.2 through 13.2.182, 14.0 through 14.0.340, and 14.1 through 14.1.100. The fixed versions are 13.0.385, 13.1.81, 13.2.183, 14.0.341, and 14.1.101.
Patch/Configuration Management Critical Quest KACE SMA flaw exploited after 10 months May 14, 2026 Share By SC Staff Quest KACE SMA, an endpoint management platform, has been targeted by attackers exploiting CVE-2025-32975, a severe authentication bypass vulnerability, according to a report by Hunt.io. This flaw, with a CVSS score of 10.0, allows unauthenticated attackers to impersonate users, including administrators, without credentials. The vulnerability's exploitation highlights the significant risks associated with unpatched systems in enterprise environments, with further coverage provided by Security Affairs. The critical vulnerability CVE-2025-32975 in Quest KACE Systems Management Appliance (SMA) was actively exploited by attackers who had not patched the system for 10 months after a fix was released in May 2025. The flaw enabled attackers to bypass authentication and gain access to the system. In one documented incident, attackers compromised a managed services provider (MSP), HIQ, which managed IT for over 60 organizations across sectors including law enforcement, healthcare, and education. The attackers exfiltrated a 512 MB database dump containing sensitive information about HIQ's clients and operations. The sophisticated toolkit used by the attackers included tools for reverse shells, command and control, account creation, credential spraying, reconnaissance, and establishing persistent network access. This incident underscores the significant supply chain risk posed by unpatched vendor software, as the downstream organizations were impacted despite not directly using the vulnerable KACE SMA system themselves. Researchers identified over 12,000 internet-facing KACE 1000 appliances potentially vulnerable due to outdated versions. Source: Security Affairs SC Staff Related Patch/Configuration Management Microsoft addresses BitLocker recovery issue in Windows 11 SC Staff May 14, 2026 The issue, acknowledged on April 14, impacts Windows 10, Windows 11, and Windows Server devices configured with an "unrecommended" BitLocker Group Policy. Patch/Configuration Management Microsoft fixes Windows Autopatch bug affecting EU devices SC Staff May 14, 2026 The bug affected a limited number of Windows 11 devices (versions 25H2, 24H2, and 23H2) within the EU region. Vulnerability Management Patch Tuesday: No zero days among 137 Microsoft CVEs, 4 Word RCEs Laura French May 12, 2026 The May 2026 Microsoft security update included no zero days for the first time since June 2024. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds