EXECUTIVE SUMMARY
The KACE SMA breach is a significant cybersecurity incident that highlights the importance of prompt patching and secure configuration of critical infrastructure. An attacker exploited the authentication bypass vulnerability CVE-2025-32975 in the SSO authentication handling mechanism of KACE SMA, gaining access to the appliance and subsequently using it as a pivot point to compromise multiple downstream victim environments. The attacker's toolkit, revealed through an exposed open directory, demonstrates an architecturally complete post-compromise operation, encompassing initial shell access, lateral movement, data exfiltration, and persistent access. The compromised data includes sensitive information about client organizations, further underscoring the severity of the breach. Organizations must take immediate action to address the vulnerability and ensure the secure configuration of their KACE SMA appliances.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The KACE SMA breach is a significant cybersecurity incident that highlights the importance of prompt patching and secure configuration of critical infrastructure. An attacker exploited the authentication bypass vulnerability CVE-2025-32975 in the SSO authentication handling mechanism of KACE SMA, gaining access to the appliance and subsequently using it as a pivot point to compromise multiple downstream victim environments. The attacker's toolkit, revealed through an exposed open directory, demonstrates an architecturally complete post-compromise operation, encompassing initial shell access, lateral movement, data exfiltration, and persistent access. The compromised data includes sensitive information about client organizations, further underscoring the severity of the breach. Organizations must take immediate action to address the vulnerability and ensure the secure configuration of their KACE SMA appliances.[emaillocker id="1283"]
The attacker's infection vector in this case was the open directory at 216.126.225[.]156:8000, which was accessible without authentication. This exposed directory contained the attacker's toolkit, including scripts for lateral movement, data exfiltration, and persistence. The scripts, written in Python and PowerShell, demonstrate the attacker's ability to evade detection and maintain a presence on compromised systems. The toolkit also includes a reverse shell script (rs.py) that creates a TCP socket to connect to the attacker's C2 server, allowing for remote command execution. Furthermore, the toolkit includes a bidirectional C2 file server (uploadserver.py) that enables the attacker to receive exfiltrated data or updated payloads from the compromised systems. The scripts also create a backdoor local account enrolled in the Administrators and Remote Desktop Users groups, maintaining privileged access over both SMB and RDP.
The KACE SMA breach serves as a stark reminder of the importance of prompt patching and secure configuration. Organizations must prioritize the implementation of security best practices, including regular patching, secure configuration of critical infrastructure, and continuous monitoring of their internet-facing exposure surface. By doing so, they can reduce the risks associated with such vulnerabilities and minimize the potential impact of a breach.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Persistence | T1136.001 | Create Account | Local Account |
| Credential Access | T1110.003 | Brute Force | Password Spraying |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Discovery | T1047 | Windows Management Instrumentation | — |
| Discovery | T1046 | Network Service Discovery | — |
| Lateral Movement | T1021.002 | Remote Services | SMB/Windows Admin Shares |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
| Collection | T1119 | Automated Collection | — |
| Command and Control | T1572 | Protocol Tunneling | — |
| Command and Control | T1090.001 | Proxy | Internal Proxy |
| Command and Control | T1090.003 | Proxy | Multi-hop Proxy |
| Command and Control | T1102 | Web Service | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/quest-kace-sma-vulnerability-cve-2025-32975-exploited-cvss-10/
https://hunt.io/blog/cve-2025-32975-quest-kace-sma-open-directory-60-victims