CVE-2025-32975
Severity CVSS v4.0:
Pending analysis
Type:
CWE-287
Authentication Issues
Publication date:
24/06/2025
Last modified:
21/04/2026
Description
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.
Impact
Base Score 3.x
10.00
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:* | 13.0 (including) | 13.0.385 (excluding) |
| cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:* | 13.1 (including) | 13.1.81 (excluding) |
| cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:* | 13.2 (including) | 13.2.183 (excluding) |
| cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:* | 14.0 (including) | 14.0.341 (excluding) |
| cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:* | 14.1 (including) | 14.1.101 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://seclists.org/fulldisclosure/2025/Jun/22
- https://seralys.com/research/CVE-2025-32975.txt
- https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978
- http://seclists.org/fulldisclosure/2025/Jun/25
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32975