Threat Intelligence / CVE / CVE-2025-32976

CVE-2025-32976

CVSS 8.8 (HIGH) · EPSS 0.2% · Published 2025-06-24

Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains a logic flaw in its two-factor authentication implementation that allows authenticated users to bypass TOTP-based 2FA requirements. The vulnerability exists in the 2FA validation process and can be exploited to gain elevated access.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-288

References

https://seclists.org/fulldisclosure/2025/Jun/23
https://seralys.com/research/CVE-2025-32976.txt
https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978
http://seclists.org/fulldisclosure/2025/Jun/25

Full detection coverage & IOCs for threats exploiting CVE-2025-32976 are available via the Threadlinqs MCP server (Purple tier). View plans →

Markdown version · Threadlinqs Intelligence