Quest KACE SMA Authentication Bypass Vulnerability CVE-2025-32975
Summary
CISA added CVE-2025-32975 to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability affects Quest KACE Systems Management Appliance versions 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4). The flaw is an authentication bypass in the SSO authentication handling mechanism allowing attackers to impersonate legitimate users without valid credentials, enabling complete administrative takeover. The CVSS score is 10.0 (CRITICAL) and SSVC classification is active exploitation, automatable, with total technical impact.
“Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials.”
What changed
CISA catalogued CVE-2025-32975 as a Known Exploited Vulnerability, signalling active exploitation of a critical authentication bypass in Quest KACE Systems Management Appliance. The vulnerability carries a CVSS 3.1 score of 10.0 (CRITICAL) across all attack vectors — network-accessible, low complexity, no privileges required, no user interaction needed — with total confidentiality, integrity, and availability impact.
Organizations running affected Quest KACE SMA versions should prioritize patching to the specified patch levels. Inclusion in the CISA KEV catalog indicates evidence of active exploitation in the wild, which may trigger compliance obligations under federal cybersecurity directives for government-connected systems.
Archived snapshot
Apr 21, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Required CVE Record Information
CNA: MITRE Corporation
Updated:
2025-06-24
Description
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.
Product Status
Learn more Information not provided
References 3 Total
- https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978
- https://seclists.org/fulldisclosure/2025/Jun/22
- https://seralys.com/research/CVE-2025-32975.txt
CVE Program
References 1 Total
Authorized Data Publishers
CISA-ADP
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2026-04-20 |
KEV 1 Total
Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32975 (2026-04-20)
CWE 1 Total
Learn more
- CWE-287: CWE-287 Improper Authentication
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 10.0 | CRITICAL | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Mentioned entities
Related changes
Get daily alerts for CISA Known Exploited Vulnerabilities (KEV)
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from MITRE.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.