One unpatched Quest KACE box at a Boston MSP exposed 60+ named client organizations - law enforcement, schools, healthcare, and government on one MariaDB dump (CVE-2025-32975)

Quest KACE has a year-old maximum-severity authentication bypass (CVE-2025-32975, CVSS 10.0). Hunt.io researchers now report that an attacker exploited an unpatched KACE appliance at a Boston-area managed services provider called HIQ - then left their entire toolkit on a publicly accessible server with directory listing turned on. The exfiltrated 512 MB MariaDB dump turned out to contain the full appliance-managed endpoint list for over 60 named client organizations spanning law enforcement, government, healthcare, education, and private companies. None of those 60-plus organizations had any KACE relationship of their own - they were just customers of the MSP that ran it unpatched.

Check

Inventory Quest KACE SMA instances reachable from the public internet, check their version against the May 2025 patched build, and review helpdesk tickets and asset records for sensitive material that would surface in a database dump.

Affected

Quest KACE Systems Management Appliance (SMA) instances at or below the pre-May 2025 patched version. CVSS 10.0 unauthenticated SSO impersonation. CISA KEV-listed since April 2026.

Fix

Apply Quest's May 2025 patched version immediately. Remove KACE SMA from direct internet exposure (place behind VPN or firewall), rotate KACE admin credentials, and audit for unauthorized accounts created via runkbot.exe.