Arctic Wolf has detected suspicious activity in client networks that appears tied to the exploitation of CVE-2025-32975, a critical authentication bypass flaw affecting unpatched Quest KACE Systems Management Appliance (SMA) instances exposed to the internet.
KACE SMA is an on-premises tool used for centralized endpoint management, including asset inventory, software distribution, patching, and monitoring.
CVE-2025-32975, which Quest patched in May 2025, allows unauthenticated threat actors to impersonate legitimate users, potentially leading to full administrative takeover of the appliance.
According to Arctic Wolf, attackers appear to have exploited CVE-2025-32975 to gain initial access to a system, after which they achieved administrative control.
There do not seem to be any other reports describing potential exploitation of this security hole.
The cybersecurity firm found no signs that three related vulnerabilities (CVE-2025-32976, CVE-2025-32977, and CVE-2025-32978), also addressed in May 2025, were involved in the observed incidents.
The activity observed by Arctic Wolf likely began in early March 2026. It’s unclear who is behind the attack and what their goal is.
“At this time, we are unable to provide additional details regarding the attacker or their motivation. Although some affected customers were in the education sector in different regions, we do not have sufficient data to determine whether this sector was specifically targeted,” Arctic Wolf Labs told SecurityWeek.
It added, “Given that the exploitation involved an internet-exposed appliance, it was likely opportunistic.”
Organizations still running outdated Quest KACE SMA versions are urged to apply the available patches immediately to prevent intrusions.
Related: Critical Langflow Vulnerability Exploited Hours After Public Disclosure
Related: Critical ScreenConnect Vulnerability Exposes Machine Keys
Related: Russian APT Exploits Zimbra Vulnerability Against Ukraine
