Maximum-Severity Quest KACE SMA Exploitation Campaign Signals Internet-Exposed Admin Tools as Prime Targets
Threat actors are actively exploiting CVE-2025-32975, a critical remote code execution flaw in Quest KACE Systems Management Appliance (SMA), against unpatched internet-exposed instances since March 2026. SMA is enterprise-grade IT infrastructure management software, making compromises particularly damaging.
CVE References
Affected
Summary
Arctic Wolf has documented active exploitation of CVE-2025-32975 (CVSS 10.0) against unpatched Quest KACE SMA instances beginning the week of March 9, 2026. The vulnerability appears to enable remote code execution on internet-exposed appliances, representing a maximum-severity threat to organizations using SMA for IT operations and systems management.
Technical and Operational Impact
Quest KACE SMA is deployed across enterprises as a centralized platform for patch management, asset inventory, and system administration—making it a prized target for sophisticated threat actors. A CVSS 10.0 score indicates unauthenticated remote code execution with no user interaction required. The fact that exploitation is occurring in the wild against internet-exposed instances suggests the vulnerability is either trivially easy to exploit or exploit code is publicly available. Organizations that exposed their management appliances to the internet (a regrettably common misconfiguration) are particularly exposed.
Defender Actions and Urgency
Any organization running Quest KACE SMA should immediately: (1) assume breach if the appliance is internet-exposed, (2) apply patches as soon as they become available, (3) conduct post-exploitation forensics on systems contacted by SMA after March 9, 2026, and (4) segment SMA behind VPN or air-gap it from direct internet access. The one-week delay between exploitation starting and public awareness suggests a coordinated campaign rather than opportunistic scanning, indicating targeted reconnaissance may have preceded exploitation.
Broader Implications
This incident reflects a persistent industry pattern: enterprise management tools remain tragically exposed to the internet despite their privileged access to infrastructure. SMA typically has the credentials and rights to patch systems fleet-wide, making it a force multiplier for attackers. The active exploitation timeline also underscores the gap between vulnerability discovery and patching in real-world environments—critical infrastructure is being compromised while patches are still being prepared or deployed. Organizations should assume that any maximum-severity flaw in exposed admin tools will be exploited within days, not weeks.
Sources