Detect Quest KACE SMA Improper Authentication Exploitation Detected in Splunk
Detects exploitation attempts against CVE-2025-32975, an improper authentication vulnerability (CWE-287) in Quest KACE Systems Management Appliance (SMA). This KEV-listed vulnerability allows attackers to bypass authentication controls, potentially enabling unauthorized access to the SMA management interface and downstream managed endpoints. Successful exploitation could lead to full appliance compromise and lateral movement across managed systems.
MITRE ATT&CK
SPL Detection Query
index=network OR index=web sourcetype=access_combined OR sourcetype=cisco:asa OR sourcetype=pan:traffic OR sourcetype=stream:http
| where (dest_port=80 OR dest_port=443 OR dest_port=8080 OR dest_port=8443)
| where (uri_path="/admin*" OR uri_path="/userui*" OR uri_path="/api/users*" OR uri_path="/service*" OR uri_path="/admin/index.php*")
| eval is_suspicious_method=if(method="GET" AND match(uri_path, "(?i)(admin|userui|api/users|service/ambari)"), 1, 0)
| eval is_auth_bypass=if((status=200 OR status=302) AND match(uri_path, "(?i)(admin|userui)") AND isnull(cookie) OR len(cookie)<10, 1, 0)
| stats count AS request_count, dc(uri_path) AS distinct_endpoints, values(uri_path) AS endpoints, values(status) AS response_codes, min(_time) AS first_seen, max(_time) AS last_seen, sum(is_auth_bypass) AS auth_bypass_indicators BY src_ip, dest_ip, dest_port
| where request_count > 5 OR auth_bypass_indicators > 0
| eval risk_score=case(auth_bypass_indicators>0 AND request_count>20, "critical", auth_bypass_indicators>0, "high", request_count>50 AND distinct_endpoints>5, "high", request_count>20, "medium", true(), "low")
| table first_seen, last_seen, src_ip, dest_ip, dest_port, request_count, distinct_endpoints, endpoints, response_codes, auth_bypass_indicators, risk_score
| sort - request_countDetects potential authentication bypass attempts against Quest KACE SMA by analyzing HTTP access patterns, looking for requests to privileged endpoints lacking proper authentication cookies, or high-frequency probing of administrative paths.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized administrators accessing KACE management interface from known IP addresses
- Internal monitoring and health-check systems polling KACE API endpoints
- Security scanners performing scheduled vulnerability assessments against KACE SMA
- Session management issues causing legitimate users to have missing or short cookie values
Other platforms for CVE-2025-32975
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1KACE SMA Unauthenticated Admin Endpoint Enumeration
Expected signal: Web server access logs showing GET requests to /admin, /userui, /api/users, /service/ambari without authentication cookies; network flow records showing HTTP connections to KACE SMA on port 443
- Test 2KACE SMA Authentication Bypass Simulation via Missing Auth Header
Expected signal: Web server logs showing requests to /admin/, /admin/index.php, /api/users with empty or missing authentication cookies; HTTP response codes indicating whether bypass was successful (200/302) or properly rejected (401/403)
- Test 3Post-Exploitation KACE Agent Script Deployment Simulation
Expected signal: KACE SMA audit log entry showing script creation by the test account; network logs showing authentication followed by POST request to /api/script; SIEM alert on new script creation event from an account that recently logged in from an unusual IP
Unlock Pro Content
Get the full detection package for CVE-2025-32975 including response playbook, investigation guide, and atomic red team tests.