SECURITYWEEK reports that the education sector may be targeted via CVE-2025-32975, a critical authentication bypass flaw in unpatched Quest KACE Systems Management Appliance instances exposed to the internet. Arctic Wolf has detected suspicious activity in client networks that appears tied to this exploitation, with the cybersecurity firm noting that attackers could gain initial access and achieve administrative control.
Quest patched CVE-2025-32975 in May 2025, and authorities say the observed incidents did not involve three related vulnerabilities also addressed at that time. The activity likely began in early March 2026, and according to Arctic Wolf Labs, it is unclear who is behind the attack or their motivation, though the exploitation involved an internet-exposed appliance and was described as likely opportunistic.
Organisations still running outdated Quest KACE SMA versions are urged to apply the available patches immediately to prevent intrusions, SecurityWeek notes, with some affected customers located in the education sector in different regions but no definitive evidence that this sector was specifically targeted. 21 March 2026.