ACCORDING to CISA's Known Exploited Vulnerabilities Catalog, CVE-2025-32975 concerns the Quest KACE Systems Management Appliance (SMA) and is described as an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials. The entry notes related CWE-287 and states that it is unknown whether it has been used in ransomware campaigns.
Date Added is 20 April 2026 and the Due Date is 4 May 2026, with guidance to apply vendor mitigations, follow BOD 22-01 for cloud services, or discontinue use if mitigations are unavailable. The KEV page further provides links to Quest’s response and to the NVD entry for CVE-2025-32975. This item is listed under Quest with the vulnerability affecting the KACE SMA product, and the page offers formats such as CSV and JSON for download.