Quest KACE Systems Management Appliance up to 14.0.96/14.1.18 Agent authorization

Summaryinfo

A vulnerability classified as critical was found in Quest KACE Systems Management Appliance up to 14.0.96/14.1.18. Affected by this issue is some unknown functionality of the component Agent. Executing a manipulation can lead to authorization. This vulnerability is handled as CVE-2025-26850. It is possible to launch the attack on the local host. There is not any exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability has been found in Quest KACE Systems Management Appliance up to 14.0.96/14.1.18 and classified as critical. This vulnerability affects an unknown function of the component Agent. The manipulation with an unknown input leads to a authorization vulnerability. The CWE definition for the vulnerability is CWE-863. The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

The agent in Quest KACE Systems Management Appliance (SMA) before 14.0.97 and 14.1.x before 14.1.19 potentially allows privilege escalation on managed systems.

The advisory is available at support.quest.com. This vulnerability was named CVE-2025-26850 since 02/16/2025. The exploitation appears to be easy. Local access is required to approach this attack. The technical details are unknown and an exploit is not available.

Upgrading to version 14.0.97 or 14.1.19 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-20096). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Endpoint Management Software

Vendor

• Quest

Name

• KACE Systems Management Appliance

Version

• 14.0.0
• 14.0.1
• 14.0.2
• 14.0.3
• 14.0.4
• 14.0.5
• 14.0.6
• 14.0.7
• 14.0.8
• 14.0.9
• 14.0.10
• 14.0.11
• 14.0.12
• 14.0.13
• 14.0.14
• 14.0.15
• 14.0.16
• 14.0.17
• 14.0.18
• 14.0.19
• 14.0.20
• 14.0.21
• 14.0.22
• 14.0.23
• 14.0.24
• 14.0.25
• 14.0.26
• 14.0.27
• 14.0.28
• 14.0.29
• 14.0.30
• 14.0.31
• 14.0.32
• 14.0.33
• 14.0.34
• 14.0.35
• 14.0.36
• 14.0.37
• 14.0.38
• 14.0.39
• 14.0.40
• 14.0.41
• 14.0.42
• 14.0.43
• 14.0.44
• 14.0.45
• 14.0.46
• 14.0.47
• 14.0.48
• 14.0.49
• 14.0.50
• 14.0.51
• 14.0.52
• 14.0.53
• 14.0.54
• 14.0.55
• 14.0.56
• 14.0.57
• 14.0.58
• 14.0.59
• 14.0.60
• 14.0.61
• 14.0.62
• 14.0.63
• 14.0.64
• 14.0.65
• 14.0.66
• 14.0.67
• 14.0.68
• 14.0.69
• 14.0.70
• 14.0.71
• 14.0.72
• 14.0.73
• 14.0.74
• 14.0.75
• 14.0.76
• 14.0.77
• 14.0.78
• 14.0.79
• 14.0.80
• 14.0.81
• 14.0.82
• 14.0.83
• 14.0.84
• 14.0.85
• 14.0.86
• 14.0.87
• 14.0.88
• 14.0.89
• 14.0.90
• 14.0.91
• 14.0.92
• 14.0.93
• 14.0.94
• 14.0.95
• 14.0.96
• 14.1.0
• 14.1.1
• 14.1.2
• 14.1.3
• 14.1.4
• 14.1.5
• 14.1.6
• 14.1.7
• 14.1.8
• 14.1.9
• 14.1.10
• 14.1.11
• 14.1.12
• 14.1.13
• 14.1.14
• 14.1.15
• 14.1.16
• 14.1.17
• 14.1.18

License

• commercial

Website

• Vendor: https://www.quest.com/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion