CVE-2025-32975 | Quest KACE Systems Management Appliance (SMA) 13.0.x before … | CVSS 10.0 CRITICAL

Description

Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.

Metadata

CVE ID: CVE-2025-32975
State: PUBLISHED
Assigner: mitre
Reserved: 2025-04-15 00:00 UTC
Published: 2025-06-24 00:00 UTC
Last updated: 2026-04-21 03:55 UTC
Primary CWE: CWE-287
CWE-287 Improper Authentication
Vendor / Product: n/a / n/a
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: ACTIVE
Automatable: yes
Tech. Impact: total

CISA Known Exploited Vulnerability

Vulnerability name: Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
Vendor: Quest
Product: KACE Systems Management Appliance (SMA)
Added to KEV: 2026-04-20
Due date: 2026-05-04
Ransomware: Not known

Required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA description

Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials.

Affected products (1)

Vendor	Product	Platform	Versions
n/a	n/a	—	n/a

Weakness (CWE)

CWE	Source	Description
—	cna	n/a
CWE-287	adp	CWE-287 Improper Authentication

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (3)