Key Information Vulnerability Title Unauthenticated Backup Upload Affected Product Quest KACE Systems Management Appliance (SMA) Affected Versions 14.1 (older versions may also be affected) Fixed Versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), 14.1.101 (Patch 4) Vendor Quest Software Discovery Date April 2025 Security Severity CRITICAL CWE ID CWE-347: Improper Verification of Cryptographic Signature CVE-2025-32977 CVSS Score 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) Discoverers Philippe Caturegli & Mohamed Mahmoudi (Seralys) Overview Quest KACE SMA allows unauthenticated users to upload backup files to the system. Although cryptographic signature verification is implemented, weaknesses in the verification process can be exploited to upload malicious backup content, thereby compromising system integrity. Impact Ability to upload backup files without authentication Potential for malicious data injection Compromised system integrity Vendor Response Quest has released patches to address this vulnerability and documented patch availability during coordinated disclosure. The patches resolve the issue in the following KACE SMA versions via hotfixes or patches: - 13.0.385 - 13.1.81 - 13.2.183 - 14.0.341 (Patch 5) - 14.1.101 (Patch 4) Timeline 2025-04-14: Initial report submitted to Quest Software 2025-04-14: Vendor acknowledged and began coordination 2025-05-08: Quest shared initial hotfix with Seralys 2025-05-17: Seralys confirmed the hotfix resolved the reported issue 2025-05-27: Quest publicly released the hotfix for CVE-2025-32977 2025-06-23: High-level public disclosure by Seralys