CVE- 2025-32975 is a critical authentication bypass vulnerability in Quest KACE Systems Management Appliance (SMA) used for endpoint management, with a CVSS score of 10.0, and it has been linked to exposure across more than 60 downstream organisations. According to Hunt[.]io, Quest published a patch in May 2025, yet ten months later attackers were actively exploiting unpatched instances.
The incident began after compromising a managed services provider called HIQ in the Boston area, with the attacker staging a 308 MB toolkit on a server with no password protection in a plain HTTP directory, publicly visible within days of discovery. Hunt[.]io reports that the exfiltrated MariaDB dump revealed the appliance-managed endpoints for over 60 named client organisations spanning law enforcement, government, healthcare, education, and the private sector, all of whom were not direct users of KACE SMA.
The toolkit included 219 files covering the intrusion lifecycle, from initial shell access to a persistent, covert C2 channel, and investigators noted hardcoded credentials for another victim, suggesting reuse across operations.