CISA added CVE-2025-32975 to its Known Exploited Vulnerabilities catalog on April 20, 2026, formalizing what incident responders have been tracking for six weeks: an unauthenticated attacker can impersonate any user — including full administrators — on any internet-reachable Quest KACE Systems Management Appliance (SMA) that hasn’t taken Quest’s May 2025 hotfix. CVSS 10.0. Pre-auth. Federal civilian agencies have until May 4, 2026 to patch. Everyone else should treat that deadline as optimistic.

KACE SMA is not a niche box. It is an endpoint management platform — the thing that pushes your software, runs your remote commands, inventories your fleet, and holds the credentials that let it do all three. Compromising the appliance is functionally equivalent to compromising every endpoint under it.

The Bug

The flaw lives in the appliance’s SSO authentication handler. During SSO processing, the application fails to adequately validate session state and the authenticity of identity assertions — an attacker can forge a request that the backend accepts as a legitimate authenticated session for an arbitrary user, including a domain-admin-equivalent KACE administrator. No credentials, no MFA prompt, no initial foothold required. The weakness is classified as CWE-287 (Improper Authentication) and the CVSS vector is the clean sweep you only see when nothing else goes right for the defender: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

  • CVE: CVE-2025-32975
  • CVSS 3.1: 10.0 (Critical)
  • CWE: CWE-287 — Improper Authentication
  • Attack vector: Network, pre-authentication
  • Affected: KACE SMA 13.0.x before 13.0.385; 13.1.x before 13.1.81; 13.2.x before 13.2.183; 14.0.x before 14.0.341 Patch 5; 14.1.x before 14.1.101 Patch 4
  • Fixed: Quest issued hotfixes in May 2025; see the Quest KB 4379499 response for the full set (CVE-2025-32975 through 32978)

Worth noting: Quest’s advisory bundled four CVEs. 32975 is the crown jewel, but 32976–32978 are also worth reviewing if you have to justify a scheduled reboot window.

Why It’s On The KEV Catalog Now

Public disclosure landed on Full Disclosure in June 2025, roughly a month after Quest’s hotfix. Starting the week of March 9, 2026, multiple incident response firms began reporting intrusions that traced back to unpatched, internet-exposed KACE SMA appliances. By the time The Hacker News and SecurityWeek picked up the story in late March, the post-exploitation tradecraft had a consistent shape:

  1. Impersonate an admin via the SSO endpoint — no noisy brute force, no credential stuffing, just a crafted request.
  2. Use KACE’s own scripting and software distribution features to execute commands on managed endpoints. This is the elegant part: the attacker doesn’t need a new C2; they run their commands through the tool the defender uses to run commands.
  3. Create additional administrative accounts for persistence in case the original intrusion path gets patched out from under them.
  4. Drop credential theft tooling, including Mimikatz, to harvest cached credentials from the appliance host and pivot.
  5. Enumerate, then move laterally across the domain using the credentials they just collected and the managed-endpoint inventory KACE handed them for free.

CISA doesn’t add CVEs to KEV without evidence. The April 20 listing is the government confirming what the private sector has been seeing — and the May 4 federal deadline is unusually tight, coming less than two weeks after the add. That’s a signal, not a suggestion.

Who’s Affected

If you run on-prem KACE SMA and have any of the affected versions, you are affected. The actively exploited population is the subset that’s internet-reachable: any appliance whose web console responds to unauthenticated requests from the public internet. Shadowserver and Censys scans over the past several weeks have identified a non-trivial number of exposed appliances across North America and Europe.

Cloud-hosted KACE Cloud (the SaaS product) is managed by Quest and is not in scope. Customers who restricted the admin interface to VPN-only access last year are in much better shape, though not off the hook — a compromised internal host can still reach the appliance.

What To Do Right Now

Patch immediately if you haven’t already. The target versions are 13.0.385, 13.1.81, 13.2.183, 14.0.341 Patch 5, or 14.1.101 Patch 4 — whichever matches your current branch. Quest shipped these in May 2025, so by now your change-control arguments against installing them have run out.

Assume compromise on any internet-exposed, unpatched appliance. Post-exploitation in this campaign is quiet enough that log-based triage alone is not sufficient. Look specifically for: unexpected administrator accounts in the KACE user store; scripting or distribution jobs you didn’t schedule; outbound connections from the appliance host to unfamiliar IPs; and Mimikatz or other credential-dumping indicators on the underlying OS.

Lock down access to the management interface. There is no business reason the KACE SMA admin console needs to be reachable from the public internet. Put it behind a VPN, restrict source IPs at the firewall, and if your SSO integration allows, require step-up authentication for privileged roles.

Rotate credentials that the appliance had access to — any service accounts used for endpoint agents, software distribution, or LDAP integration. If the attacker had admin, they had those too.

CISA’s KEV entry is one of eight additions on April 20, which also include flaws in Cisco Catalyst SD-WAN Manager, Synacor Zimbra, Kentico Xperience, JetBrains TeamCity, and PaperCut NG/MF. The Cisco and Zimbra bugs have an even tighter April 23 deadline. If you run infrastructure on any of these platforms, this week’s patching queue is not optional.