CVE-2025-32978

| EUVD-2025-27831 HIGH
2025-06-24 [email protected]
Denial Of Service
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-27831
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
CVE Published
Jun 24, 2025 - 15:15 nvd
HIGH 7.5

DescriptionNVD

Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) allows unauthenticated users to replace system licenses through a web interface intended for license renewal. Attackers can exploit this to replace valid licenses with expired or trial licenses, causing denial of service.

AnalysisAI

CVE-2025-32978 is an unauthenticated license replacement vulnerability in Quest KACE Systems Management Appliance that allows attackers to replace valid licenses with expired or trial licenses via a web interface, causing denial of service. The vulnerability affects KACE SMA versions 13.0.x through 14.1.x across multiple release branches. This is a network-accessible, zero-privilege exploitation requiring no user interaction, making it a high-impact availability threat to organizations relying on KACE for systems management.

Technical ContextAI

The vulnerability stems from missing authentication controls (CWE-306: Missing Authentication for Critical Function) on the license renewal web interface in Quest KACE SMA. The license management subsystem fails to validate that the user requesting license replacement has proper authorization, allowing any unauthenticated network-accessible attacker to invoke license replacement functionality. KACE SMA is a unified endpoint and systems management platform deployed across enterprise infrastructure, typically managing thousands of endpoints. The affected CPE would be: cpe:2.0:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*. The root cause is improper access control on a critical administrative function that should require authentication and authorization checks before allowing state-altering operations on system licenses.

RemediationAI

  • action: Apply Vendor Patches; details: ['Upgrade KACE SMA 13.0.x to 13.0.385 or later', 'Upgrade KACE SMA 13.1.x to 13.1.81 or later', 'Upgrade KACE SMA 13.2.x to 13.2.183 or later', 'Upgrade KACE SMA 14.0.x to 14.0.341 Patch 5 or later', 'Upgrade KACE SMA 14.1.x to 14.1.101 Patch 4 or later']
  • action: Network Segmentation; details: Restrict network access to KACE SMA web interface to trusted administrative networks only; do not expose to untrusted/internet-facing segments until patched
  • action: Access Controls; details: Implement network-level authentication (VPN, bastion hosts) for KACE SMA administrative access; monitor web interface access logs for suspicious license replacement requests
  • action: License Monitoring; details: Implement alerting on license status changes; periodically verify license validity matches organizational records
  • action: Vendor Advisory; details: Consult official Quest/KACE security advisories and release notes for affected versions; prioritize patching in change management process

Share

CVE-2025-32978 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy