CVE-2025-32975
KEV
🔴 Łataj teraz
Obejście uwierzytelnienia w Quest KACE SMA pozwala na przejęcie konta administratora.
CVSS
10.0
EPSS
45.4%
Exploit
weaponized
Vendor
quest
Opis źródłowy (NVD)
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.
auth-bypass
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 10.0 |
| CISA KEV (aktywnie wykorzystywane) | Tak |
| FIRST EPSS (prawdopodobieństwo exploita) | 45.4% |
| Opublikowano (NVD) | 2025-06-24 15:15:23 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-21 14:09:39 UTC |
Referencje
- https://seclists.org/fulldisclosure/2025/Jun/22 (cve@mitre.org) [Mailing List, Third Party Advisory]
- https://seralys.com/research/CVE-2025-32975.txt (cve@mitre.org) [Third Party Advisory]
- https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978 (cve@mitre.org) [Vendor Advisory]
- http://seclists.org/fulldisclosure/2025/Jun/25 (af854a3a-2127-422b-91ae-364da2661108) [Mailing List, Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32975 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]