Cybersecurity experts have warned that threat actors are exploiting a critical vulnerability in Quest KACE Systems Management Appliance (SMA), CVE-2025-32975 (CVSS 10.0), to gain control over unpatched systems. This flaw, patched in May 2025, allows attackers to bypass administrative accounts and log in as legitimate users.
According to Arctic Wolf’s recent reports, malicious activity consistent with CVE-2025-32975 exploitation was observed starting the second week of March 2026. Internet-exposed SMA instances were primarily targeted. While the end goal of the attack remains unclear, preliminary investigations indicate that attackers took over administrative accounts and executed remote commands to download Base64-encoded payloads from server 216.126.225[.]156.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
Administrative Takeover Through Legitimate Tools
Experts noted that attackers leveraged the “runkbot.exe” process to create additional administrative accounts. This background process is associated with the SMA Agent and is used to run scripts and manage installations. Furthermore, PowerShell scripts were used to modify Windows Registry entries, likely to establish persistence or alter system configurations.
Other malicious activities observed include:
- Credential Theft: Using Mimikatz to extract login details.
- Discovery and Reconnaissance: Enumerating logged-in users and admin accounts, executing “net time” and “net group” commands.
- Remote Access: Gaining RDP access to backup infrastructure such as Veeam and Veritas, as well as domain controllers.
Credential Theft and Lateral Movement
Cybersecurity specialists have advised administrators not to expose SMA instances to the internet and to immediately apply the latest patches. Secured versions include 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4).
Unpatched Systems and Internet Exposure Increase Risk
Experts stress that such attacks are not limited to system control alone—they may also be used for data theft, lateral movement across networks, and establishing remote entry points. “Any administrative system lacking timely patching provides cybercriminals with a direct entry point,” Arctic Wolf noted in its blog.
For organizations adopting a cybersecurity-first approach, this incident serves as a stark warning about the dangers of running outdated, unpatched systems exposed to the internet. Credential monitoring, registry monitoring, and remote command logging are crucial defenses that should be implemented immediately.
A Wake-Up Call for Enterprise Cybersecurity
Quest KACE SMA users are also advised to regularly check agent and backup services and report any unusual activity promptly. Failure to do so could give attackers continued access to administrative accounts and backup data.
Cybersecurity professionals emphasize that preventing such attacks in the future requires stronger patch management, network segmentation, and stricter access controls. Regular cybersecurity training for employees and IT teams is also critical to mitigate risks from social engineering and malware attacks.
