CISA has added CVE‑2025‑32975 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Quest’s KACE Systems Management Appliance (SMA) and is named the Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability. In one sentence, the vulnerability allows attackers to impersonate legitimate users without needing valid credentials.
The issue is an improper authentication weakness that can be exploited remotely, leading to full compromise of the affected appliance. It carries a CVSS v3.1 base score of 10.0, rated as CRITICAL. At present, no patch has been released, and the vendor has not disclosed a remediation timeline.
Active exploitation has been observed, which is why the entry was added to KEV. There is no publicly known use of this vulnerability in ransomware campaigns. Federal civilian executive branch (FCEB) agencies must apply mitigations by the CISA remediation due date of 4 May 2026.
CISA’s required action is to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. While this directive binds FCEB agencies, all organisations should review their exposure to Quest KACE SMA and implement any available mitigations promptly.
For full details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-32975 and the CISA KEV catalogue.