CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-32976: Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch...

Description

Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains a logic flaw in its two-factor authentication implementation that allows authenticated users to bypass TOTP-based 2FA requirements. The vulnerability exists in the 2FA validation process and can be exploited to gain elevated access.

Classification

CVE ID: CVE-2025-32976

Affected Products

Vendor: n/a

Product: n/a

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.1% (probability of being exploited)

EPSS Percentile: 28.56% (scored less or equal to compared to others)

EPSS Date: 2025-07-01 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32976
https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978
https://seclists.org/fulldisclosure/2025/Jun/23
https://seralys.com/research/CVE-2025-32976.txt

Timeline

2025-06-24 03:15:34 UTC
Full Disclosure Mailinglist

CVE-2025-32976 - Quest KACE SMA 2FA Bypass
2025-06-24 15:40:14 UTC
CVE

Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch...