Exploitation for Priv-Esc × Quest KACE Agent for Windows

A publicly-reported instance of Exploitation for Priv-Esc bypassing Quest KACE Agent for Windows, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Quest KACE Agent for Windows

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

High

Status

unknown

Disclosed

2024-04-30

Config / version noted

Yes

Provenance

www.tenable.com
disclosed 2026-02-19 · original source · via exa
cvefeed.io
disclosed 2024-04-30 · original source · via exa

Reported as

unquoted Windows search path vulnerability in Quest KACE Agent for Windows versions 12.0.38 and 13.1.23.0

Mechanism

The KSchedulerSvc.exe and AMPTools.exe components have an unquoted service path. A local attacker can place a malicious executable in a parent directory that is parsed before the intended executable, leading to code execution with NT AUTHORITY\SYSTEM privileges when the service starts.

Detection & mitigation

Monitor for unexpected child processes of services with unquoted service paths, especially those spawning from suspicious directories like C:\Program.exe or C:\Program Files\Quest\KACE\AMPTools.exe. Mitigate by ensuring all service paths are quoted and applying vendor patches.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.