CVE-2025-32977

Published: Jun 24, 2025Modified: Nov 3, 2025

9.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 6.0

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) allows unauthenticated users to upload backup files to the system. While signature validation is implemented, weaknesses in the validation process can be exploited to upload malicious backup content that could compromise system integrity.

Related CWEs

CWE-347

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (4)

https://seclists.org/fulldisclosure/2025/Jun/24

Source: cve@mitre.org

https://seralys.com/research/CVE-2025-32977.txt

Source: cve@mitre.org

https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978

Source: cve@mitre.org

http://seclists.org/fulldisclosure/2025/Jun/25

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.