CVE-2025-32977

CRITICAL

Quest KACE SMA <14.1.101 - Info Disclosure

Title source: llm

Description

Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) allows unauthenticated users to upload backup files to the system. While signature validation is implemented, weaknesses in the validation process can be exploited to upload malicious backup content that could compromise system integrity.

References (4)

[Various Sources] https://seralys.com/research/CVE-2025-32977.txt

[Various Sources] https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978

[Mailing List] https://seclists.org/fulldisclosure/2025/Jun/24

[Mailing List] http://seclists.org/fulldisclosure/2025/Jun/25

Scores

CVSS v3 9.6

EPSS 0.0023

EPSS Percentile 45.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-347

Status published

Published Jun 24, 2025

Tracked Since Feb 18, 2026