Key Information Vulnerability Title Unauthenticated License Replacement Affected Product Quest KACE Systems Management Appliance (SMA) Affected Versions Configuration 14.1 (older versions likely affected) Fixed Versions 13.0.385, 13.1.81, 13.2.183, 14.0.341[Patch 5], 14.1.101[Patch 4] Vendor Quest Software Discovery Date April 2025 Security Severity HIGH CWE and CVE Identifiers CWE: CWE-306: Missing Authentication for Critical Function CVE: CVE-2025-32978 CVSS Score 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Discoverers Philippe Caturegli & Mohamed Mahmoudi (Seralys) Summary Quest KACE SMA allows unauthenticated users to replace system licenses via a web interface intended for license renewal. Attackers can exploit this to substitute valid licenses with expired or trial licenses, resulting in a denial-of-service condition. Impact Unauthenticated license replacement capability Denial of service via license corruption Disruption of management functions Vendor Response Quest has released fixes for this vulnerability and detailed the remediation steps and patch availability in their advisory. Hotfixes or patches are provided for affected versions. Timeline 2025-04-14: Initial report submitted to Quest Software 2025-04-14: Vendor acknowledged receipt and initiated coordinated disclosure 2025-05-08: Quest shared an initial hotfix with Seralys 2025-05-17: Seralys confirmed the hotfix resolved the reported issue 2025-05-27: Quest publicly released the hotfix for CVE-2025-32978 2025-06-23: High-level public disclosure by Seralys