| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <DB3PR10MB6809F2BE5D02F4A5BFEC1E9ED079A@DB3PR10MB6809.EURPRD10.PROD.OUTLOOK.COM>
Date: Mon, 23 Jun 2025 22:47:23 +0000
From: Seralys Research Team via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2025-32977 - Quest KACE Unauthenticated Backup Upload
Seralys Security Advisory | https://www.seralys.com/research
======================================================================
Title: Unauthenticated Backup Upload
Product: Quest KACE Systems Management Appliance (SMA)
Affected: Confirmed on 14.1 (older versions likely affected)
Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5),
14.1.101(Patch 4)
Vendor: Quest Software
Discovered: April 2025
Severity: CRITICAL
CWE: CWE-347: Improper Verification of Cryptographic Signature
CVE: CVE-2025-32977
CVSS: 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
Discovered by: Philippe Caturegli & Mohamed Mahmoudi (Seralys)
======================================================================
Overview
--------
Quest KACE SMA allows unauthenticated users to upload backup files to
the system. While signature validation is implemented, weaknesses in
the validation process can be exploited to upload malicious backup
content that could compromise system integrity.
======================================================================
Impact
------
Unauthenticated backup file upload capability
Potential for malicious data injection
System integrity compromise
======================================================================
Vendor Response
---------------
Quest has released a fix for this vulnerability as part of a
coordinated disclosure effort. Details and patch availability are
documented in their advisory:
https://support.quest.com/kb/4379499/quest-response-to-kace-sma-
vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-
cve-2025-32978
The issue has been resolved via hotfix or patch in the following KACE
SMA versions:
- 13.0.385
- 13.1.81
- 13.2.183
- 14.0.341 (Patch 5)
- 14.1.101 (Patch 4)
Administrators are strongly encouraged to update to one of the patched
versions.
======================================================================
Timeline
--------
- 2025-04-14: Initial report submitted to Quest Software
- 2025-04-14: Vendor acknowledged receipt and initiated coordination
- 2025-05-08: Quest shared a preliminary hotfix with Seralys
- 2025-05-17: Seralys confirmed hotfix addressed the reported issues
- 2025-05-27: Quest publicly released the hotfix for CVE-2025-32977
- 2025-06-23: High level public disclosure by Seralys
Note: Detailed technical information and proof-of-concept code will be
released after the standard 90-day disclosure period to allow
organizations additional time to apply patches.
======================================================================
About Seralys
--------------
Seralys is a boutique penetration testing firm with offices in Europe
and North America. We provide high value-add penetration testing and
security assessments.
https://www.seralys.com
======================================================================
Acknowledgments
---------------
Special shoutout to our fellow researchers at BastardLabs. \m/
======================================================================
Disclaimer
----------
This advisory is provided for coordinated disclosure purposes only.
Reproduction or distribution for malicious use is strictly prohibited.
EOF
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists