Which SIEM platforms have a CVE-2025-32975 detection rule?

df00tech provides CVE-2025-32975 (Quest KACE SMA Improper Authentication Exploitation Detected) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Quest KACE SMA Improper Authentication Exploitation Detected (CVE-2025-32975)?

Detecting Quest KACE SMA Improper Authentication Exploitation Detected requires the following data sources: Azure Sentinel CommonSecurityLog, Microsoft Defender for Endpoint DeviceNetworkEvents, Web Application Firewall Logs.

What severity and confidence is the CVE-2025-32975 detection?

The CVE-2025-32975 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2025-32975?

Common false positives for CVE-2025-32975 include: Legitimate IT administrators performing routine KACE SMA management tasks from known IP ranges; Automated vulnerability scanners or internal security tools scanning the KACE appliance; Patch management or monitoring tools making frequent API calls to the KACE SMA interface.

CVE-2025-32975 Detection: Quest KACE SMA Improper Authentication Exploitation Detected (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let KACEPorts = dynamic([80, 443, 8080, 8443]);
let SuspiciousEndpoints = dynamic(["/admin", "/userui", "/api", "/service/ambari", "/api/users", "/admin/index.php"]);
union DeviceNetworkEvents, CommonSecurityLog
| where TimeGenerated >= ago(24h)
| where DestinationPort in (KACEPorts) or DestPort in (KACEPorts)
| extend RequestURL = coalesce(RequestURL, DestinationURL, ""), SrcIP = coalesce(SourceIP, RemoteIP, "")
| where RequestURL has_any (SuspiciousEndpoints)
| where isnotempty(SrcIP)
| summarize RequestCount = count(), DistinctEndpoints = dcount(RequestURL), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Endpoints = make_set(RequestURL, 20) by SrcIP, DestinationIP, DestinationPort
| where RequestCount > 10 or DistinctEndpoints > 3
| extend RiskScore = case(
    RequestCount > 50 and DistinctEndpoints > 5, "High",
    RequestCount > 20, "Medium",
    "Low"
  )
| project FirstSeen, LastSeen, SrcIP, DestinationIP, DestinationPort, RequestCount, DistinctEndpoints, Endpoints, RiskScore
| order by RequestCount desc

Detects anomalous HTTP request patterns to Quest KACE SMA administrative endpoints that may indicate authentication bypass exploitation. Looks for high-volume or multi-endpoint probing from single source IPs targeting known KACE management paths.

critical severity medium confidence

Data Sources

Azure Sentinel CommonSecurityLog Microsoft Defender for Endpoint DeviceNetworkEvents Web Application Firewall Logs

Required Tables

CommonSecurityLog DeviceNetworkEvents

False Positives

Legitimate IT administrators performing routine KACE SMA management tasks from known IP ranges
Automated vulnerability scanners or internal security tools scanning the KACE appliance
Patch management or monitoring tools making frequent API calls to the KACE SMA interface
Load balancer health checks or uptime monitoring probes targeting KACE endpoints

Splunk

spl

index=network OR index=web sourcetype=access_combined OR sourcetype=cisco:asa OR sourcetype=pan:traffic OR sourcetype=stream:http
| where (dest_port=80 OR dest_port=443 OR dest_port=8080 OR dest_port=8443)
| where (uri_path="/admin*" OR uri_path="/userui*" OR uri_path="/api/users*" OR uri_path="/service*" OR uri_path="/admin/index.php*")
| eval is_suspicious_method=if(method="GET" AND match(uri_path, "(?i)(admin|userui|api/users|service/ambari)"), 1, 0)
| eval is_auth_bypass=if((status=200 OR status=302) AND match(uri_path, "(?i)(admin|userui)") AND isnull(cookie) OR len(cookie)<10, 1, 0)
| stats count AS request_count, dc(uri_path) AS distinct_endpoints, values(uri_path) AS endpoints, values(status) AS response_codes, min(_time) AS first_seen, max(_time) AS last_seen, sum(is_auth_bypass) AS auth_bypass_indicators BY src_ip, dest_ip, dest_port
| where request_count > 5 OR auth_bypass_indicators > 0
| eval risk_score=case(auth_bypass_indicators>0 AND request_count>20, "critical", auth_bypass_indicators>0, "high", request_count>50 AND distinct_endpoints>5, "high", request_count>20, "medium", true(), "low")
| table first_seen, last_seen, src_ip, dest_ip, dest_port, request_count, distinct_endpoints, endpoints, response_codes, auth_bypass_indicators, risk_score
| sort - request_count

Detects potential authentication bypass attempts against Quest KACE SMA by analyzing HTTP access patterns, looking for requests to privileged endpoints lacking proper authentication cookies, or high-frequency probing of administrative paths.

critical severity medium confidence

Data Sources

Web Server Access Logs Network Traffic Logs Proxy Logs Firewall Logs

Required Sourcetypes

access_combined cisco:asa pan:traffic stream:http

False Positives

Authorized administrators accessing KACE management interface from known IP addresses
Internal monitoring and health-check systems polling KACE API endpoints
Security scanners performing scheduled vulnerability assessments against KACE SMA
Session management issues causing legitimate users to have missing or short cookie values

Elastic Security (EQL)

eql

sequence by source.ip with maxspan=5m
  [network where event.category == "network" and
   destination.port in (80, 443, 8080, 8443) and
   url.path : ("/admin*", "/userui*", "/api/users*", "/service/*")]
  [network where event.category == "network" and
   destination.port in (80, 443, 8080, 8443) and
   url.path : ("/admin*", "/userui*", "/api/users*", "/service/*") and
   http.response.status_code in (200, 302, 301)]
| where #sequencesFound >= 2

Uses EQL sequence detection to identify authentication bypass patterns against KACE SMA: a source IP making repeated requests to administrative endpoints and receiving successful (2xx/3xx) responses, potentially indicating bypass of authentication controls.

critical severity medium confidence

Data Sources

Elastic Network Events Packetbeat Elastic Agent Network Integration

Required Tables

logs-network* packetbeat-*

False Positives

Legitimate administrator sessions generating multiple successful requests to KACE admin paths
Automated configuration management tools making authenticated API calls
Browser redirects from HTTP to HTTPS on the KACE management interface
Session token refresh flows in the KACE web application

IBM QRadar (AQL)

sql

SELECT sourceip, destinationip, destinationport, URL, username, eventcount, MIN(starttime) AS first_seen, MAX(starttime) AS last_seen,
  SUM(CASE WHEN URL LIKE '%/admin%' OR URL LIKE '%/userui%' OR URL LIKE '%/api/users%' THEN 1 ELSE 0 END) AS admin_requests,
  SUM(CASE WHEN responseCode IN (200, 302, 301) AND (URL LIKE '%/admin%' OR URL LIKE '%/userui%') THEN 1 ELSE 0 END) AS successful_admin_access
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'Microsoft IIS', 'Nginx', 'F5 BIG-IP')
  AND destinationport IN (80, 443, 8080, 8443)
  AND (URL LIKE '%/admin%' OR URL LIKE '%/userui%' OR URL LIKE '%/api%' OR URL LIKE '%/service%')
  AND LAST 24 HOURS
GROUP BY sourceip, destinationip, destinationport, URL, username
HAVING admin_requests > 10 OR successful_admin_access > 3
ORDER BY admin_requests DESC

Queries QRadar for suspicious access patterns to Quest KACE SMA administrative endpoints, identifying sources with high volumes of admin endpoint requests or multiple successful accesses to privileged paths that may indicate authentication bypass exploitation.

critical severity medium confidence

Data Sources

QRadar Network Activity Web Server Log Sources Firewall Log Sources

Required Tables

events

False Positives

IT operations staff performing routine KACE appliance administration
Automated patch deployment processes accessing KACE API endpoints
Network monitoring tools performing connectivity checks to KACE management ports
Web application firewall testing generating traffic to KACE endpoints

Sumo Logic CSE

sql

_sourceCategory=network/web OR _sourceCategory=firewall/paloalto OR _sourceCategory=proxy/bluecoat
| where (dest_port=80 OR dest_port=443 OR dest_port=8080 OR dest_port=8443)
| parse regex field=url "(?P<path>/[^\?]*)" nodrop
| where path matches "/admin*" OR path matches "/userui*" OR path matches "/api/users*" OR path matches "/service*"
| timeslice 5m
| stats count as request_count, dcount(path) as distinct_paths, values(path) as paths_accessed, dcount(status_code) as response_variety, sum(if(status_code=200 OR status_code=302, 1, 0)) as successful_requests by src_ip, dest_ip, _timeslice
| where request_count > 10 OR (successful_requests > 3 AND distinct_paths > 2)
| fields - _timeslice
| sort by request_count desc

Detects potential CVE-2025-32975 exploitation by identifying high-frequency or multi-path access patterns to Quest KACE SMA management endpoints, with emphasis on successful responses to administrative paths that may indicate authentication bypass.

critical severity medium confidence

Data Sources

Sumo Logic Web Access Logs Firewall Sources Proxy Sources

Required Tables

_sourceCategory=network/web _sourceCategory=firewall*

False Positives

Legitimate KACE administrators generating multiple requests during normal operations
Automated backup or reporting jobs accessing KACE APIs periodically
Load balancer health checks polling KACE service endpoints
Security team running authorized penetration tests against KACE infrastructure

Google Chronicle / SecOps

yaral

rule quest_kace_sma_auth_bypass_cve_2025_32975 {
  meta:
    author = "Detection Engineering"
    description = "Detects potential CVE-2025-32975 exploitation against Quest KACE SMA - improper authentication bypass"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-32975"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.network.application_protocol = "HTTP" or $e.network.application_protocol = "HTTPS"
    $e.target.port = 80 or $e.target.port = 443 or $e.target.port = 8080 or $e.target.port = 8443
    (
      re.regex($e.network.http.request_url, `(?i)/admin`) or
      re.regex($e.network.http.request_url, `(?i)/userui`) or
      re.regex($e.network.http.request_url, `(?i)/api/users`) or
      re.regex($e.network.http.request_url, `(?i)/service/ambari`)
    )
    $e.network.http.response_code = 200 or
    $e.network.http.response_code = 302
    $src_ip = $e.principal.ip

  match:
    $src_ip over 10m

  outcome:
    $event_count = count_distinct($e.metadata.id)
    $distinct_urls = count_distinct($e.network.http.request_url)
    $target_ips = array_distinct($e.target.ip)

  condition:
    #e > 5 and $distinct_urls > 2
}

Chronicle YARA-L rule detecting repeated successful HTTP access to Quest KACE SMA administrative endpoints from a single source IP within a 10-minute window, indicating potential authentication bypass exploitation of CVE-2025-32975.

critical severity medium confidence

Data Sources

Chronicle Network Telemetry Web Proxy Logs Firewall Network Logs

Required Tables

network_http

False Positives

Administrators performing maintenance tasks generating multiple authenticated requests to KACE admin interfaces
Automated monitoring or CMDB sync tools polling multiple KACE API endpoints
Browser caching and redirect behavior causing multiple hits to the same admin path
Multi-tab administrator sessions accessing different KACE management sections simultaneously

CrowdStrike LogScale (CQL)

cql

#event_simpleName=NetworkConnectIP4 OR #event_simpleName=HttpRequest
| TargetPort IN (80, 443, 8080, 8443)
| HttpRequestUrl IN CIREGEX ("(?i)/admin", "(?i)/userui", "(?i)/api/users", "(?i)/service/ambari")
| stats count(HttpRequestUrl) AS request_count, dc(HttpRequestUrl) AS distinct_endpoints, values(HttpRequestUrl) AS endpoints, min(timestamp) AS first_seen, max(timestamp) AS last_seen BY RemoteAddressIP4, TargetPort, HttpResponseCode
| where request_count > 10 OR (HttpResponseCode IN (200, 302) AND distinct_endpoints > 2)
| eval risk = if(HttpResponseCode IN (200, 302) AND distinct_endpoints > 3, "CRITICAL", if(request_count > 30, "HIGH", "MEDIUM"))
| fields first_seen, last_seen, RemoteAddressIP4, TargetPort, request_count, distinct_endpoints, endpoints, HttpResponseCode, risk
| sort -request_count

CrowdStrike Falcon Query Language detection for suspicious HTTP request patterns targeting Quest KACE SMA administrative endpoints, particularly successful responses (200/302) to privileged paths from single source IPs indicating potential CVE-2025-32975 exploitation.

critical severity medium confidence

Data Sources

CrowdStrike Falcon Network Events Falcon HTTP Telemetry

Required Tables

NetworkConnectIP4 HttpRequest

False Positives

CrowdStrike-protected endpoints running KACE agents making legitimate management callbacks
Authorized security operations staff accessing KACE management portal from monitored endpoints
Scheduled KACE inventory and patch compliance checks triggering multiple API requests
Network segmentation testing or firewall rule validation targeting KACE management ports

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2025-32975 Quest KACE SMA Improper Authentication Exploitation Detected?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2025-32975

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox