Arctic Wolf has observed malicious activity in customer environments potentially linked to the exploitation of CVE-2025-32975 on unpatched Quest KACE Systems Management Appliance (SMA) instances that were publicly exposed to the internet.

ArcticWolf's platform is a central hub for cybersecurity professionals, offering insights into managed detection and response (MDR), threat intelligence, and security operations. Through articles, reports, and webinars, ArcticWolf offers insights into detecting and responding to cybersecurity threats effectively. Security analysts can learn about threat hunting, incident response strategies, and security best practices to protect organizations from cyberattacks.

Arctic Wolf

Arctic Wolf has observed active exploitation of CVE-2025-32975, a critical authentication bypass vulnerability in Quest KACE Systems Management Appliance (SMA), starting the week of March 9, 2026. The flaw in the SSO authentication mechanism allows threat actors to impersonate users and achieve full administrative takeover without valid credentials. Observed post-exploitation activity includes remote command execution via KPluginRunProcess, credential harvesting with Mimikatz, creation of rogue admin accounts, PowerShell persistence scripts, domain enumeration, and lateral movement to backup infrastructure and domain controllers. The vulnerability was patched in May 2025. Recommendations include upgrading to the latest fixed version and removing KACE SMA instances from public internet exposure, restricting access via VPN or firewall.