Quest KACE SMA Vulnerability Exposes Admin Accounts

Post Views: 10

Admin Account Hijacking Exposes Critical Vulnerability in Quest KACE SMA

In a recent wave of attacks, hackers have exploited a previously patched vulnerability in Quest KACE Systems Management Appliance (SMA) to hijack administrative accounts on unsecured systems. The campaign, which began in early March 2026, leverages the CVE-2025-32975 flaw to execute remote commands, steal credentials, and facilitate lateral movement, underscoring the importance of timely patching and vigilant security measures.

According to researchers, the attacks originated from compromised SMA instances exposed to the internet, with the primary objective remaining unclear. However, initial investigations suggest that the attackers created additional administrative accounts using the “runkbot.exe” process associated with the SMA Agent. This background process is utilized to run scripts and manage installations, indicating a deliberate attempt to maintain persistence on affected systems.

Furthermore, malicious activities observed during the attacks include:

Credential theft via Mimikatz to extract login details
Discovery and reconnaissance through enumeration of logged-in users and admin accounts, as well as execution of “net time” and “net group” commands
Remote access to backup infrastructure, including Veeam and Veritas, as well as domain controllers

Experts emphasize that these attacks are not limited to system control; they can also be used for data theft, lateral movement across networks, and establishing remote entry points. As a result, administrators are strongly advised not to expose SMA instances to the internet and to immediately apply the latest patches, including versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4).

Regularly checking agent and backup services and reporting any unusual activity promptly are also essential steps in preventing further unauthorized access. By taking these precautions, organizations can mitigate the risk of such attacks and ensure the integrity of their systems.