CVE-2025-61932
published 2025-10-20CVE-2025-61932: Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an…
PriorityP188critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-11-12
Exploited in the wild
EPSS
2.69%
84.0th percentile
Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending specially crafted packets.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| motex | lanscope_endpoint_manager | < 9.3.2.7 | 9.3.2.7 |
| motex | lanscope_endpoint_manager | >= 9.3.3.0 < 9.3.3.9 | 9.3.3.9 |
| motex | lanscope_endpoint_manager | >= 9.4.0.0 < 9.4.0.5 | 9.4.0.5 |
| motex | lanscope_endpoint_manager | >= 9.4.1.0 < 9.4.1.5 | 9.4.1.5 |
| motex | lanscope_endpoint_manager | >= 9.4.2.0 < 9.4.2.6 | 9.4.2.6 |
| motex | lanscope_endpoint_manager | >= 9.4.3.0 < 9.4.3.8 | 9.4.3.8 |
| motex | lanscope_endpoint_manager | >= 9.4.4.0 < 9.4.4.6 | 9.4.4.6 |
| motex | lanscope_endpoint_manager | >= 9.4.5.0 < 9.4.5.4 | 9.4.5.4 |
| motex | lanscope_endpoint_manager | >= 9.4.6.0 < 9.4.6.3 | 9.4.6.3 |
| motex | lanscope_endpoint_manager | 9.4.7.0 – 9.4.7.1 | — |
| motex_inc | lanscope_endpoint_manager_and_detection_agent | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for Gokcpdoor malware activity establishing proxy/multiplexed C2 connections; the newest variant has dropped KCP protocol support and added multiplexed C2 communication. ↗
- →Detect DLL sideloading into legitimate executables used to load the final payload via OAED Loader; look for unexpected DLL loads by trusted/signed processes. ↗
- →Hunt for Havoc C2 framework artifacts on hosts running Lanscope Endpoint Manager clients, as attackers used it as an alternative to Gokcpdoor in some intrusions. ↗
- →Monitor for use of goddi (Active Directory dumper), Remote Desktop, and 7-Zip in combination on endpoints running Lanscope MR/DA client, as these were used for post-exploitation data exfiltration. ↗
- →Alert on outbound connections from Lanscope client processes to cloud storage services (LimeWire, Piping Server) which were used as exfiltration points. ↗
- →Exploitation results in code execution with SYSTEM privileges; look for SYSTEM-level process spawning from Lanscope MR or DA client processes as a high-fidelity indicator of compromise. ↗
- ·The vulnerability affects only the client-side components (MR and DA); the Lanscope server/manager does not require upgrading. ↗
- ·There are no workarounds or mitigations available; patching to a fixed client version is the only remediation. ↗
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g3v5-cgpf-rr2h: Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing a
ghsa_unreviewed·2025-10-20
CVE-2025-61932 [CRITICAL] CWE-940 GHSA-g3v5-cgpf-rr2h: Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing a
Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending specially crafted packets.
VulnCheck
Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability
vulncheck·2025·CVSS 9.3
CVE-2025-61932 [CRITICAL] CWE-940 Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability
Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability
Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability allowing an attacker to execute arbitrary code by sending specially crafted packets.
Affected: Motex LANSCOPE Endpoint Manager
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://jvn.jp/en/jp/JVN86318557/index.html; https://www.motex.co.jp/news/notice/2025/release251020/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://news.sophos.com/en-us/2025/10/30/bronze-butl
CISA
Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability
cisa·2025-10-22·CVSS 9.3
CVE-2025-61932 [CRITICAL] CWE-940 Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability
Vulnerability: Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability
Affected: Motex LANSCOPE Endpoint Manager
Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability allowing an attacker to execute arbitrary code by sending specially crafted packets.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.motex.co.jp/news/notice/2025/release251020/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-61932
Remediation Due Date: 2025-11-12
No detection rules found.
No public exploits indexed.
Bleepingcomputer
China-linked hackers exploited Lanscope flaw as a zero-day in attacks
blogs_bleepingcomputer·2025-11-01·CVSS 9.3
[CRITICAL] China-linked hackers exploited Lanscope flaw as a zero-day in attacks
## China-linked hackers exploited Lanscope flaw as a zero-day in attacks
## Bill Toulas
China-linked cyber-espionage actors tracked as 'Bronze Butler' (Tick) exploited a Motex Lanscope Endpoint Manager vulnerability as a zero-day to deploy an updated version of their Gokcpdoor malware.
The discovery of this activity comes from Sophos researchers , who observed the threat actors exploiting the vulnerability in mid-2025 before it was patched to steal confidential information.
The flaw exploited in these attacks is CVE-2025-61932, a critical request origin verification flaw impacting Motex Lanscope Endpoint Manager versions 9.4.7.2 and earlier. It enables unauthenticated attackers to execute arbitrary code on the target with SYSTEM privileges via specially crafted packets.
Motex released
Bleepingcomputer
CISA warns of Lanscope Endpoint Manager flaw exploited in attacks
blogs_bleepingcomputer·2025-10-23·CVSS 9.3
CVE-2025-61932 [CRITICAL] CISA warns of Lanscope Endpoint Manager flaw exploited in attacks
## CISA warns of Lanscope Endpoint Manager flaw exploited in attacks
## Bill Toulas
The Cybersecurity & Infrastructure Security Agency (CISA) is warning that hackers are exploiting a critical vulnerability in the Motex Landscope Endpoint Manager.
The flaw is tracked as CVE-2025-61932 and has a critical severity score of 9.3. It stems from improper verification of the origin of incoming requests, and could be exploited by an unauthenticated attacker to execute arbitrary code on the system by sending specially crafted packets.
Developed by Japanese firm Motex, a subsidiary of Kyocera Communication Systems, Lanscope Endpoint Manager is an endpoint management and security tool that provides unified control across desktop and mobile devices.
The product is offered as an asset/endpoint mana
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
2025-10-20
Published
2025-10-22
Added to CISA KEV
Exploited in the wild