cybersecurity researchers have confirmed active exploitation of a maximum-severity vulnerability in Quest KACE Systems Management Appliance (SMA) software. The malicious activity, first detected in customer environments during the week of March 9, 2026, targets internet-exposed systems that have not been updated with a security patch.
Security firm Arctic Wolf reported the ongoing attacks, which align with the exploitation of a flaw tracked as CVE-2025-32975. This vulnerability carries a Common Vulnerability Scoring System (CVSS) rating of 10.0, the highest possible score, indicating a critical level of risk.
Details of the Security Flaw
CVE-2025-32975 is a remote code execution vulnerability. A remote code execution flaw allows an attacker to run arbitrary code or commands on a target system from a distance, often over a network like the internet. In this case, successful exploitation could grant an attacker complete control over the unpatched Quest KACE SMA.
The Quest KACE SMA is a systems management tool used by IT departments for tasks such as software deployment, patch management, and inventory tracking. Gaining control of such a device provides a powerful foothold within an organization’s network.
Scope and Impact of the Attacks
The observed attacks specifically target SMA appliances that are directly accessible from the internet and remain unpatched. Arctic Wolf’s findings indicate that threat actors are actively scanning for and compromising these vulnerable systems.
While the exact number of compromised systems is not publicly known, the confirmation of active “in-the-wild” exploitation raises significant concerns for organizations using the software. A CVSS 10.0 rating signifies the vulnerability is trivial to exploit and can lead to a full compromise of confidentiality, integrity, and system availability.
Vendor Response and Mitigation
Quest Software has previously released a security update to address CVE-2025-32975. The company issued an advisory urging all customers to apply the relevant patches immediately to secure their KACE SMA appliances.
The standard mitigation for this vulnerability is to install the provided security update from Quest. As an immediate defensive measure, organizations are advised to ensure their KACE SMA management interface is not exposed to the public internet unless absolutely necessary, and to place it behind a firewall with strict access controls.
Broader Security Context
The exploitation of critical vulnerabilities in widely used management software is a persistent trend in cybersecurity. These tools are attractive targets for hackers because they often have high-level permissions within IT infrastructure. A single compromise can lead to widespread access across a network.
This incident underscores the critical importance of prompt patch management, especially for internet-facing systems. The time between a patch release and the start of widespread exploitation, often called the “patch gap,” is a key period of risk for organizations.
Security teams are expected to increase monitoring of network traffic related to KACE SMA systems for signs of anomalous activity or compromise. Further technical details regarding the attack patterns may be released by cybersecurity firms to aid in detection efforts.
Source: Arctic Wolf
