Quest KACE Desktop Authority versions up to 11.3.1 contain a vulnerability related to insecure permissions on Named Pipes used for inter-process communication (IPC).
Researchers from NetSPY (Ceri Coburn and team) discovered that these Named Pipes were created without proper access control restrictions. As a result, an unauthorized local user could potentially access these pipes, leading to unintended interactions or privilege escalation within the application context.
Impact
- Attack Vector: Local
- Severity: High (based on potential unauthorized access)
- Affected Versions: Quest KACE Desktop Authority ≤ 11.3.1
- Fixed Version: 11.3.2
Quest has released a patch addressing this issue in version 11.3.2, published on November 3, 2025.
Action Required:
- Upgrade to Quest KACE Desktop Authority 11.3.2 or later immediately to mitigate this vulnerability.
References:
