Threat actors are actively exploiting CVE-2025-32975, a critical path traversal vulnerability in Quest KACE Systems Management Appliance (SMA), to achieve unauthenticated remote code execution (RCE). The flaw carries a maximum CVSS v3.1 score of 10.0, indicating its severe impact.
The vulnerability was discovered and disclosed by Assetnote researchers on February 28, 2026. Quest subsequently released patches for the affected software on March 18, 2026.
CVE-2025-32975: Unauthenticated Remote Code Execution Details
CVE-2025-32975 is a path traversal vulnerability located in the /agent/agentless_update.php endpoint of the Quest KACE SMA. This flaw allows an unauthenticated attacker to upload arbitrary files to publicly accessible locations on the appliance. By uploading a malicious PHP file, attackers can execute arbitrary code with root privileges.
The vulnerability can be leveraged by unauthenticated attackers to execute arbitrary code with root privileges on affected KACE SMA appliances. The impact of this vulnerability is severe, as it allows full control over the appliance, which often manages a large number of endpoints in an organization.— Assetnote researchers
The exploit chain bypasses authentication mechanisms, granting attackers full control over the compromised appliance. Given that KACE SMA devices manage numerous endpoints within an organization, successful exploitation poses a significant risk of broader network compromise, similar to other unauthenticated arbitrary file upload vulnerabilities.
Affected Versions and Remediation
The vulnerability impacts Quest KACE SMA versions 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, and 12.0. Users are strongly advised to update their appliances to version 12.1 or later to mitigate the risk of exploitation and ensure proof of remediation.
