Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: Unauthenticated License Replacement Product: Quest KACE Systems Management Appliance (SMA) Affected: Confirmed on 14.1 (older versions likely affected) Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5), 14.1.101(Patch 4) Vendor: Quest Software Discovered: April 2025 Severity: HIGH CWE: CWE-306: Missing Authentication for Critical Function CVE: CVE-2025-32978 CVSS: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Discovered by: Philippe Caturegli & Mohamed Mahmoudi (Seralys) ====================================================================== Overview -------- Quest KACE SMA allows unauthenticated users to replace system licenses through a web interface intended for license renewal. Attackers can exploit this to replace valid licenses with expired or trial licenses, causing denial of service. ====================================================================== Impact ------ Unauthenticated license replacement capability Denial of service through license corruption Administrative function disruption ====================================================================== Vendor Response --------------- Quest has released a fix for this vulnerability as part of a coordinated disclosure effort. Details and patch availability are documented in their advisory: https://support.quest.com/kb/4379499/quest-response-to-kace-sma- vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977- cve-2025-32978 The issue has been resolved via hotfix or patch in the following KACE SMA versions: - 13.0.385 - 13.1.81 - 13.2.183 - 14.0.341 (Patch 5) - 14.1.101 (Patch 4) Administrators are strongly encouraged to update to one of the patched versions. ====================================================================== Timeline -------- - 2025-04-14: Initial report submitted to Quest Software - 2025-04-14: Vendor acknowledged receipt and initiated coordination - 2025-05-08: Quest shared a preliminary hotfix with Seralys - 2025-05-17: Seralys confirmed hotfix addressed the reported issues - 2025-05-27: Quest publicly released the hotfix for CVE-2025-32978 - 2025-06-23: High level public disclosure by Seralys Note: Detailed technical information and proof-of-concept code will be released after the standard 90-day disclosure period to allow organizations additional time to apply patches. ====================================================================== About Seralys -------------- Seralys is a boutique penetration testing firm with offices in Europe and North America. We provide high value-add penetration testing and security assessments. https://www.seralys.com ====================================================================== Acknowledgments --------------- Special shoutout to our fellow researchers at BastardLabs. \m/ ====================================================================== Disclaimer ---------- This advisory is provided for coordinated disclosure purposes only. Reproduction or distribution for malicious use is strictly prohibited. EOF