Quest KACE Systems Management Appliance
Low Risk2.7ICS-CERT ICSA-19-183-02Jul 2, 2019
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Quest KACE Systems Management Appliance allows an administrative user to unintentionally gain access to the underlying operating system due to improper input validation. This affects all versions 8.0.x, 8.1.x, and 9.0.x. Quest recommends upgrading to Version 9.1 or newer.
What this means
What could happen
An administrative user could unintentionally gain access to the underlying operating system on a KACE SMA device, potentially allowing command execution or configuration changes outside of normal management controls.
Who's at risk
System administrators and IT operations teams who rely on Quest KACE Systems Management Appliance (SMA) for asset management, patch deployment, and system monitoring across networks. This applies to utilities and water authorities using KACE for device lifecycle management.
How it could be exploited
An attacker with administrative credentials on the KACE SMA could exploit improper input validation to bypass application controls and access the underlying OS shell or command interface. This requires the attacker to already hold valid admin credentials to the appliance.
Prerequisites
- Valid administrative credentials for KACE SMA
- Network access to KACE SMA management interface
- Ability to log in to the appliance as an administrator
requires admin credentialslow CVSS scoreno public exploitsaffects systems management appliance
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
KACE SMA: All8.1.x9.1 or newer
KACE SMA: All9.0.x9.1 or newer
KACE SMA: All8.0.x9.1 or newer
Remediation & Mitigation
0/5
Do now
0/3HARDENINGRestrict system access to authorized personnel only and enforce least privilege for admin accounts
HARDENINGIsolate KACE SMA behind firewall and restrict network access to management interface from trusted networks only
HARDENINGEnsure KACE SMA is not directly accessible from the Internet
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade KACE SMA to Version 9.1 or newer
Long-term hardening
0/1HARDENINGUse VPN or other secure remote access methods if remote management is required
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4d216e6c-c637-4b14-b1ea-17dce44ad4bd