CVSS 10.0 flaw in systems management appliance confirmed under active attack.
CISA added CVE-2025-32975 to its Known Exploited Vulnerabilities catalog on 2026-04-20, confirming active exploitation. The vulnerability is a critical (CVSS 10.0) authentication bypass in Quest KACE Systems Management Appliance affecting versions 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4). Exploitation occurs through the SSO authentication handling mechanism and enables complete administrative takeover without valid credentials. As a KEV catalog entry, this binding directive requires federal civilian agencies to remediate under BOD 22-01.
Sources
CISA KEV: CVE-2025-32975 Critical Auth Bypass in KACE SMA
More from Data Privacy & Cybersecurity Browse all →
JPCERT Warns of Active Exploitation of Cisco ASA, FTD Flaws
JPCERT/CC confirmed active exploitation of CVE-2025-20333 and CVE-2025-20362 in Cisco ASA and Firewall Threat Defense software. Attackers are chaining these flaws to achieve unauthorized access and arbitrary code execution on affected devices with VPN web services enabled.
April 27, 2026
NCSC Warns Active Exploitation of Cisco Firewall Management Center Vulnerability
The NCSC issued an advisory for CVE-2026-20131, a critical Cisco Secure Firewall Management Center vulnerability being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary Java code as root through insecure deserialization in the web management interface.
April 27, 2026
CISA and CSIRT-ITA Flag Samsung MagicINFO Exploitation Wave
The Bureau of Industry and Security charged four companies in seven days for exporting controlled technology to Chinese end-users. The cluster suggests an enforcement push targeting semiconductor-adjacent supply chains rather than isolated violations.
April 27, 2026
Czech DPA Fines Avast 351M CZK for Unlawful Data Transfers
The Czech data protection authority fined Avast 351 million CZK for transferring pseudonymized browsing histories tied to unique identifiers from approximately 100 million users to its Jumpshot subsidiary despite claims of anonymization. The decision, final and binding, marks one of the larger GDPR penalties issued against a major technology company.
April 27, 2026
Get the briefing in your inbox
The top regulatory stories, delivered daily. No noise.
Free. Unsubscribe anytime.