CVE-2025-32975 Elastic Security · Elastic

Detect Quest KACE SMA Improper Authentication Exploitation Detected in Elastic Security

Detects exploitation attempts against CVE-2025-32975, an improper authentication vulnerability (CWE-287) in Quest KACE Systems Management Appliance (SMA). This KEV-listed vulnerability allows attackers to bypass authentication controls, potentially enabling unauthorized access to the SMA management interface and downstream managed endpoints. Successful exploitation could lead to full appliance compromise and lateral movement across managed systems.

MITRE ATT&CK

Tactic
Initial Access Persistence Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where event.category == "network" and
   destination.port in (80, 443, 8080, 8443) and
   url.path : ("/admin*", "/userui*", "/api/users*", "/service/*")]
  [network where event.category == "network" and
   destination.port in (80, 443, 8080, 8443) and
   url.path : ("/admin*", "/userui*", "/api/users*", "/service/*") and
   http.response.status_code in (200, 302, 301)]
| where #sequencesFound >= 2
critical severity medium confidence

Uses EQL sequence detection to identify authentication bypass patterns against KACE SMA: a source IP making repeated requests to administrative endpoints and receiving successful (2xx/3xx) responses, potentially indicating bypass of authentication controls.

Data Sources

Elastic Network EventsPacketbeatElastic Agent Network Integration

Required Tables

logs-network*packetbeat-*

False Positives & Tuning

  • Legitimate administrator sessions generating multiple successful requests to KACE admin paths
  • Automated configuration management tools making authenticated API calls
  • Browser redirects from HTTP to HTTPS on the KACE management interface
  • Session token refresh flows in the KACE web application

Other platforms for CVE-2025-32975

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1KACE SMA Unauthenticated Admin Endpoint Enumeration

    Expected signal: Web server access logs showing GET requests to /admin, /userui, /api/users, /service/ambari without authentication cookies; network flow records showing HTTP connections to KACE SMA on port 443

  2. Test 2KACE SMA Authentication Bypass Simulation via Missing Auth Header

    Expected signal: Web server logs showing requests to /admin/, /admin/index.php, /api/users with empty or missing authentication cookies; HTTP response codes indicating whether bypass was successful (200/302) or properly rejected (401/403)

  3. Test 3Post-Exploitation KACE Agent Script Deployment Simulation

    Expected signal: KACE SMA audit log entry showing script creation by the test account; network logs showing authentication followed by POST request to /api/script; SIEM alert on new script creation event from an account that recently logged in from an unusual IP

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2025-32975 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1210Exploitation of Remote ServicesT1072Software Deployment Tools

Same Tactic: Initial Access

Popular Detections