cbcvebase.
CVE-2025-61932
published 2025-10-20

CVE-2025-61932: Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an…

PriorityP188critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-11-12
Exploited in the wild
EPSS
2.69%
84.0th percentile
Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending specially crafted packets.

Affected

11 ranges
VendorProductVersion rangeFixed in
motexlanscope_endpoint_manager< 9.3.2.79.3.2.7
motexlanscope_endpoint_manager>= 9.3.3.0 < 9.3.3.99.3.3.9
motexlanscope_endpoint_manager>= 9.4.0.0 < 9.4.0.59.4.0.5
motexlanscope_endpoint_manager>= 9.4.1.0 < 9.4.1.59.4.1.5
motexlanscope_endpoint_manager>= 9.4.2.0 < 9.4.2.69.4.2.6
motexlanscope_endpoint_manager>= 9.4.3.0 < 9.4.3.89.4.3.8
motexlanscope_endpoint_manager>= 9.4.4.0 < 9.4.4.69.4.4.6
motexlanscope_endpoint_manager>= 9.4.5.0 < 9.4.5.49.4.5.4
motexlanscope_endpoint_manager>= 9.4.6.0 < 9.4.6.39.4.6.3
motexlanscope_endpoint_manager9.4.7.0 – 9.4.7.1
motex_inclanscope_endpoint_manager_and_detection_agent

Detection & IOCsextracted from sources · hover to see the quote

port38000
port38002
otherGokcpdoor
otherOAED Loader
  • Monitor for Gokcpdoor malware activity establishing proxy/multiplexed C2 connections; the newest variant has dropped KCP protocol support and added multiplexed C2 communication.
  • Detect DLL sideloading into legitimate executables used to load the final payload via OAED Loader; look for unexpected DLL loads by trusted/signed processes.
  • Hunt for Havoc C2 framework artifacts on hosts running Lanscope Endpoint Manager clients, as attackers used it as an alternative to Gokcpdoor in some intrusions.
  • Monitor for use of goddi (Active Directory dumper), Remote Desktop, and 7-Zip in combination on endpoints running Lanscope MR/DA client, as these were used for post-exploitation data exfiltration.
  • Alert on outbound connections from Lanscope client processes to cloud storage services (LimeWire, Piping Server) which were used as exfiltration points.
  • Exploitation results in code execution with SYSTEM privileges; look for SYSTEM-level process spawning from Lanscope MR or DA client processes as a high-fidelity indicator of compromise.
  • ·The vulnerability affects only the client-side components (MR and DA); the Lanscope server/manager does not require upgrading.
  • ·There are no workarounds or mitigations available; patching to a fixed client version is the only remediation.

CVSS provenance

nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.