CVE-2025-26850 CRITICAL

CVE-2025-26850

Vendor Quest

Product KACE Systems Management Appliance

Weakness CWE-863 · Incorrect authorization

Published July 4, 2025

Last update July 8, 2025

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The agent in Quest KACE Systems Management Appliance (SMA) before 14.0.97 and 14.1.x before 14.1.19 potentially allows privilege escalation on managed systems.

Key dates

02Disclosure timeline

July 4, 2025 CVE published

July 8, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-26850 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

04Related CVE

CVE-2025-41246 Improper authorisation vulnerability CVE-2026-33579 OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval CVE-2026-41189 FreeScout has assigned-only visibility bypass that allows editing hidden customer-authored threads CVE-2025-13432 Terraform Enterprise state versions can be created by users with specific permissions without sufficient write access CVE-2023-28698 WADE DIGITAL DESIGN CO, LTD. FANTSY - Broken Acesss Control

Identifiers

CVE CVE-2025-26850

CWE CWE-863

CVSS 9.3 / CRITICAL

Affected versions

Vendor Quest

Product KACE Systems Management Appliance

Affected < 14.0.97

Vendor Quest

Product KACE Systems Management Appliance

Affected ≥ 14.1.0 and < 14.1.19