Description
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains a logic flaw in its two-factor authentication implementation that allows authenticated users to bypass TOTP-based 2FA requirements. The vulnerability exists in the 2FA validation process and can be exploited to gain elevated access.
References (4)
Core 4
Core References
Various Sources
https://seralys.com/research/CVE-2025-32976.txt
Various Sources
https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978
Mailing List
https://seclists.org/fulldisclosure/2025/Jun/23
Mailing List
http://seclists.org/fulldisclosure/2025/Jun/25
Scores
CVSS v3
8.8
EPSS
0.0079
EPSS Percentile
51.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-288
Status
published
Published
Jun 24, 2025
Tracked Since
Feb 18, 2026