CVE-2025-32975
CVE-2025-32975
In short
Quest KACE SMA has a critical flaw in its login system that lets attackers pretend to be real users without needing passwords. This can give attackers complete control over the device.
Technical detail
An authentication bypass in the SSO mechanism (CWE-287) allows unauthenticated attackers to impersonate legitimate users and gain administrative access. The vulnerability affects multiple versions and requires no valid credentials, resulting in complete compromise of the appliance.
Summary generated and translated by AI from the official description.
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://seclists.org/fulldisclosure/2025/Jun/25https://seclists.org/fulldisclosure/2025/Jun/22https://seralys.com/research/CVE-2025-32975.txthttps://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32975