| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <DB3PR10MB680917731822F6A1AE64A937D079A@DB3PR10MB6809.EURPRD10.PROD.OUTLOOK.COM>
Date: Mon, 23 Jun 2025 22:44:34 +0000
From: Seralys Research Team via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2025-32976 - Quest KACE SMA 2FA Bypass
Seralys Security Advisory | https://www.seralys.com/research
======================================================================
Title: 2FA Bypass
Product: Quest KACE Systems Management Appliance (SMA)
Affected: Confirmed on 14.1 (older versions likely affected)
Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5),
14.1.101(Patch 4)
Vendor: Quest Software
Discovered: April 2025
Severity: HIGH
CWE: CWE-288: Authentication Bypass Using an Alternate Path
CVE: CVE-2025-32976
CVSS: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Discovered by: Philippe Caturegli & Mohamed Mahmoudi (Seralys)
======================================================================
Overview
--------
Quest KACE SMA contains a logic flaw in its two-factor authentication
implementation that allows authenticated users to bypass TOTP-based
2FA requirements. The vulnerability exists in the 2FA validation
process and can be exploited to gain elevated access.
======================================================================
Impact
------
Bypass of TOTP-based two-factor authentication
======================================================================
Vendor Response
---------------
Quest has released a fix for this vulnerability as part of a
coordinated disclosure effort. Details and patch availability are
documented in their advisory:
https://support.quest.com/kb/4379499/quest-response-to-kace-sma-
vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-
cve-2025-32978
The issue has been resolved via hotfix or patch in the following KACE
SMA versions:
- 13.0.385
- 13.1.81
- 13.2.183
- 14.0.341 (Patch 5)
- 14.1.101 (Patch 4)
Administrators are strongly encouraged to update to one of the patched
versions.
======================================================================
Timeline
--------
- 2025-04-14: Initial report submitted to Quest Software
- 2025-04-14: Vendor acknowledged receipt and initiated coordination
- 2025-05-08: Quest shared a preliminary hotfix with Seralys
- 2025-05-17: Seralys confirmed hotfix addressed the reported issues
- 2025-05-27: Quest publicly released the hotfix for CVE-2025-32976
- 2025-06-23: High level public disclosure by Seralys
Note: Detailed technical information and proof-of-concept code will be
released after the standard 90-day disclosure period to allow
organizations additional time to apply patches.
======================================================================
About Seralys
--------------
Seralys is a boutique penetration testing firm with offices in Europe
and North America. We provide high value-add penetration testing and
security assessments.
https://www.seralys.com
======================================================================
Acknowledgments
---------------
Special shoutout to our fellow researchers at BastardLabs. \m/
======================================================================
Disclaimer
----------
This advisory is provided for coordinated disclosure purposes only.
Reproduction or distribution for malicious use is strictly prohibited.
EOF
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists