Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.
The vulnerability (CWE-287 — improper authentication) lies in the SSO (Single Sign-On) authentication handling mechanism. An attacker, remotely and without any privileges or user interaction, can craft a request that will be incorrectly treated by the system as coming from an authenticated user. As a result, the attacker is able to successfully impersonate any user, including an administrator, without knowing their password or other authentication credentials.
An attacker can obtain full administrative privileges over the KACE SMA device, which consequently gives them control over managed IT resources — complete takeover of infrastructure management system (compromise of confidentiality, integrity, and availability).
Quest KACE SMA must be immediately updated to version: 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5) or 14.1.101 (Patch 4) in accordance with the vendor's advisory available at: https://support.quest.com/kb/4379499. Until the patch is applied, it is recommended to restrict access to the management interface only to trusted networks.
Quest KACE Systems Management Appliance (SMA) in versions: 13.0.x prior to 13.0.385, 13.1.x prior to 13.1.81, 13.2.x prior to 13.2.183, 14.0.x prior to 14.0.341 (Patch 5), and 14.1.x prior to 14.1.101 (Patch 4)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HQuest Kace Systems Management Appliance
APPQuest13.0 – 13.0.385 (bez)13.1 – 13.1.81 (bez)13.2 – 13.2.183 (bez)14.0 – 14.0.341 (bez)14.1 – 14.1.101 (bez)
CISA KEV — detailsi
- Vendori
- Quest
- Producti
- KACE Systems Management Appliance (SMA)
- Added to KEVi
- April 20, 2026
- Remediation deadline (US Federal)i
- May 4, 2026(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials.
Related vulnerabilities
A SQL injection vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.0 that ca...
In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authenticat...
Quest KACE Systems Management Appliance Server Center version 9.1.317 is vulnerable to SQL injection. The affe...
SQL injection exists in Quest KACE Asset Management Appliance 6.4.120822 through 7.2, Systems Management Appli...
In Quest KACE Systems Management Appliance (SMA) through 12.0, predictable token generation occurs when applia...