CVE-2025-32978
BaseFortify
Publication date: 2025-06-24
Last updated on: 2025-11-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-32978 is a vulnerability in Quest KACE Systems Management Appliance (SMA) versions before certain patched releases. It allows unauthenticated users to replace valid system licenses through a web interface intended for license renewal. Attackers can exploit this flaw to substitute valid licenses with expired or trial licenses, causing denial of service by corrupting the license and disrupting administrative functions. This vulnerability is due to missing authentication for a critical function. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service on the affected Quest KACE SMA system. Attackers can replace valid licenses with expired or trial licenses without authentication, which corrupts the license and disrupts administrative functions, potentially preventing normal operation and management of the system. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Administrators should immediately update Quest KACE Systems Management Appliance (SMA) to the patched versions: 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), or 14.1.101 (Patch 4) to mitigate the vulnerability. Applying these updates will prevent unauthenticated users from exploiting the license replacement flaw and avoid denial of service. [1, 2]