| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <DB3PR10MB68094A18BE59C71598DA541AD079A@DB3PR10MB6809.EURPRD10.PROD.OUTLOOK.COM>
Date: Mon, 23 Jun 2025 22:48:48 +0000
From: Seralys Research Team via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2025-32978 - Quest KACE SMA Unauthenticated License
Replacement
Seralys Security Advisory | https://www.seralys.com/research
======================================================================
Title: Unauthenticated License Replacement
Product: Quest KACE Systems Management Appliance (SMA)
Affected: Confirmed on 14.1 (older versions likely affected)
Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5),
14.1.101(Patch 4)
Vendor: Quest Software
Discovered: April 2025
Severity: HIGH
CWE: CWE-306: Missing Authentication for Critical Function
CVE: CVE-2025-32978
CVSS: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Discovered by: Philippe Caturegli & Mohamed Mahmoudi (Seralys)
======================================================================
Overview
--------
Quest KACE SMA allows unauthenticated users to replace system licenses
through a web interface intended for license renewal. Attackers can
exploit this to replace valid licenses with expired or trial licenses,
causing denial of service.
======================================================================
Impact
------
Unauthenticated license replacement capability
Denial of service through license corruption
Administrative function disruption
======================================================================
Vendor Response
---------------
Quest has released a fix for this vulnerability as part of a
coordinated disclosure effort. Details and patch availability are
documented in their advisory:
https://support.quest.com/kb/4379499/quest-response-to-kace-sma-
vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-
cve-2025-32978
The issue has been resolved via hotfix or patch in the following KACE
SMA versions:
- 13.0.385
- 13.1.81
- 13.2.183
- 14.0.341 (Patch 5)
- 14.1.101 (Patch 4)
Administrators are strongly encouraged to update to one of the patched
versions.
======================================================================
Timeline
--------
- 2025-04-14: Initial report submitted to Quest Software
- 2025-04-14: Vendor acknowledged receipt and initiated coordination
- 2025-05-08: Quest shared a preliminary hotfix with Seralys
- 2025-05-17: Seralys confirmed hotfix addressed the reported issues
- 2025-05-27: Quest publicly released the hotfix for CVE-2025-32978
- 2025-06-23: High level public disclosure by Seralys
Note: Detailed technical information and proof-of-concept code will be
released after the standard 90-day disclosure period to allow
organizations additional time to apply patches.
======================================================================
About Seralys
--------------
Seralys is a boutique penetration testing firm with offices in Europe
and North America. We provide high value-add penetration testing and
security assessments.
https://www.seralys.com
======================================================================
Acknowledgments
---------------
Special shoutout to our fellow researchers at BastardLabs. \m/
======================================================================
Disclaimer
----------
This advisory is provided for coordinated disclosure purposes only.
Reproduction or distribution for malicious use is strictly prohibited.
EOF
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists