Quest KACE CVE-2025-32975 Enables Remote Code Execution
Quest Software disclosed a critical vulnerability in its KACE Systems Management Appliance platform on March 20, 2026, warning that attackers have already weaponized the flaw in targeted campaigns against educational organizations. The vulnerability, tracked as CVE-2025-32975, affects multiple versions of the KACE platform and enables remote code execution without authentication.
Security researchers first identified suspicious activity targeting KACE deployments in late February 2026, with initial indicators pointing to exploitation of an unknown vulnerability in the web management interface. Quest's security team confirmed the vulnerability after analyzing attack patterns and working with affected customers to understand the exploitation mechanism. The company's investigation revealed that attackers were leveraging improper input validation in the KACE web console to execute arbitrary commands on underlying systems.
The vulnerability stems from insufficient sanitization of user-supplied data in the KACE web application's file upload functionality. Attackers can craft malicious requests that bypass authentication checks and execute system-level commands with elevated privileges. This design flaw allows complete compromise of affected KACE appliances, giving attackers persistent access to managed endpoints and sensitive configuration data.
Quest Software has confirmed that the vulnerability affects KACE Systems Management Appliance versions 13.0 through 13.2.145, as well as KACE Systems Deployment Appliance versions 8.0 through 8.2.157. The company released emergency patches for all affected versions on March 20, 2026, and has been working directly with customers to coordinate rapid deployment of security updates.
Related: Veeam Patches Four Critical RCE Flaws in Backup Software
Related: CISA Orders Federal Agencies to Patch n8n RCE Flaw
Related: Oracle Patches Critical RCE Flaw in Identity Manager
Related: CISA Warns of Actively Exploited Wing FTP Server Flaw
Related: Langflow CVE-2026-33017 Exploited 20 Hours After Disclosure
According to Quest's advisory, the vulnerability requires network access to the KACE web interface but doesn't require valid credentials, making it particularly dangerous for organizations that expose their KACE appliances to the internet or have compromised internal networks. The CISA Known Exploited Vulnerabilities catalog is expected to add CVE-2025-32975 following confirmation of active exploitation.
Educational Institutions Face Targeted KACE Exploitation
The active exploitation campaign has primarily targeted educational institutions across North America and Europe, with Quest Software confirming attacks against at least twelve school districts and universities. These organizations typically deploy KACE appliances to manage large fleets of student and faculty devices, making them attractive targets for attackers seeking to establish persistent access to educational networks.
Organizations running Quest KACE Systems Management Appliance versions 13.0 through 13.2.145 are vulnerable to exploitation, along with those using KACE Systems Deployment Appliance versions 8.0 through 8.2.157. The vulnerability affects both on-premises and cloud-hosted KACE deployments, though cloud instances may have additional network protections that limit exposure. Quest estimates that approximately 3,000 organizations worldwide operate vulnerable KACE appliances, with educational institutions representing roughly 40% of the affected user base.
The education sector's vulnerability stems from common deployment patterns that increase exposure risk. Many schools configure KACE appliances with internet-facing management interfaces to support remote device management and software deployment. Additionally, educational networks often have complex trust relationships and shared access policies that can amplify the impact of a successful KACE compromise. Attackers who gain control of KACE appliances can potentially access managed endpoints, steal credentials, and move laterally through connected systems.
Beyond educational institutions, the vulnerability also affects corporate environments, government agencies, and healthcare organizations that rely on KACE for endpoint management. The Microsoft Security Response Center has noted increased scanning activity targeting KACE appliances, suggesting that threat actors are actively searching for vulnerable systems across multiple sectors.
Immediate Patching Required for Quest KACE Systems
Quest Software has released security updates that address CVE-2025-32975 across all affected product lines. Organizations must immediately update KACE Systems Management Appliance to version 13.2.146 or later, and KACE Systems Deployment Appliance to version 8.2.158 or later. The patches include comprehensive input validation improvements and additional authentication checks for the web management interface.
For organizations that cannot immediately apply patches, Quest recommends implementing network-level protections to limit access to KACE web interfaces. This includes restricting management access to trusted IP ranges, implementing VPN requirements for remote access, and deploying web application firewalls with rules that block malicious request patterns. Quest has published specific firewall rules and intrusion detection signatures to help organizations detect and prevent exploitation attempts.
System administrators should immediately review KACE appliance logs for indicators of compromise, including unexpected file uploads, unusual command execution patterns, and unauthorized configuration changes. Quest's security advisory includes specific log entries and file system artifacts that indicate successful exploitation. Organizations should also verify the integrity of managed device configurations and check for unauthorized software deployments that might indicate lateral movement from compromised KACE systems.
The patching process requires a brief service interruption, but Quest has designed the updates to minimize downtime for critical device management operations. Organizations should schedule maintenance windows during low-usage periods and ensure they have backup access methods for managed endpoints during the update process. Quest's technical support team is providing expedited assistance for customers experiencing difficulties with patch deployment or suspected compromise incidents.
