Executive Summary

A critical zero-day vulnerability in Lanscope Endpoint Manager (CVE-2025-61932) is being actively exploited in the wild, posing a severe risk to organizations utilizing this endpoint management solution. The flaw, which affects all on-premises deployments of Lanscope Endpoint Manager version 9.4.7.1 and earlier, enables unauthenticated remote code execution (RCE) due to improper verification of the source of incoming network requests. Public proof-of-concept (PoC) exploits are available, and the vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog, underscoring the urgency for immediate remediation. This advisory provides a comprehensive technical analysis, threat actor insights, exploitation details, victimology, and actionable mitigation guidance to help organizations defend against this critical threat.

Threat Actor Profile

At this time, exploitation of the Lanscope Endpoint Manager zero-day is being conducted by unidentified threat actors. No specific advanced persistent threat (APT) group or ransomware affiliate has been publicly attributed to these attacks. However, the tactics, techniques, and procedures (TTPs) observed align with those commonly used by both financially motivated cybercriminals and state-sponsored actors. The exploitation method—targeting a public-facing management interface with unauthenticated RCE—suggests opportunistic mass exploitation, a hallmark of both initial access brokers and ransomware operators. The presence of public PoC code and rapid weaponization by the threat community further increases the risk of widespread exploitation by a diverse set of actors, including those seeking to establish persistence, exfiltrate data, or deploy ransomware payloads.

Technical Analysis of Malware/TTPs

The vulnerability, tracked as CVE-2025-61932, is classified under CWE-940: Improper Verification of Source of a Communication Channel. The flaw resides in the network request handling logic of the Lanscope Endpoint Manager server, specifically within the client program (MR) and detection agent (DA) components. The application fails to adequately verify the origin of incoming requests, allowing an attacker to send specially crafted packets to the management interface. This results in arbitrary code execution with SYSTEM or root privileges, depending on the underlying operating system.

Technical exploitation involves sending a malicious payload over the network to the exposed management port. No authentication or prior access is required, and the attack can be executed remotely. Public PoC exploits, such as those available on GitHub repositories like DevGreick/devgreick, automate the process of crafting and delivering the exploit payload. The attack leverages common TTPs, including:

• Exploiting public-facing applications (MITRE ATT&CK T1190)

• Using command and scripting interpreters to execute arbitrary commands (T1059)

• Leveraging application layer protocols for command and control (T1071)

The vulnerability is rated as critical, with a CVSS v3.0 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its ease of exploitation and the potential for complete system compromise.

Exploitation in the Wild

Active exploitation of CVE-2025-61932 has been confirmed by multiple sources, including CISA, JPCERT/CC, and leading cybersecurity news outlets. Attackers are scanning for vulnerable Lanscope Endpoint Manager instances exposed to the internet and leveraging public PoC code to gain remote access. The exploitation chain typically involves sending a network request containing a malicious payload to the management interface, which then executes the payload with elevated privileges.

Security researchers have observed a surge in scanning activity targeting the default management ports used by Lanscope Endpoint Manager. In several documented incidents, attackers have established persistence by creating new user accounts, deploying web shells, or installing additional malware. The availability of automated exploit scripts has lowered the barrier to entry, enabling even low-skilled actors to compromise unpatched systems.

Notable reports from The Hacker News, CybersecurityNews, and SecurityOnline.info corroborate the widespread nature of these attacks. The inclusion of the vulnerability in the CISA KEV Catalog mandates immediate patching for federal agencies and strongly recommends urgent action for all organizations.

Victimology and Targeting

Victims of the Lanscope Endpoint Manager zero-day exploitation are primarily organizations that have deployed the on-premises version of the product and have exposed the management interface to the internet or untrusted networks. Affected sectors include government agencies, educational institutions, healthcare providers, and enterprises across various industries in Japan and globally, as Lanscope is widely used for endpoint monitoring and management.

Attackers are not targeting specific organizations but are instead conducting broad internet-wide scans to identify and exploit any vulnerable instance. This opportunistic approach increases the risk for any organization running outdated versions of Lanscope Endpoint Manager. The lack of authentication required for exploitation means that even organizations with otherwise robust security postures are at risk if they have not applied the latest patches or restricted network access to the management interface.

Indicators of compromise (IOCs) associated with these attacks include unusual inbound traffic to management ports, unexpected process launches, creation of new files or scheduled tasks by the Lanscope service account, and outbound connections from Lanscope servers to unfamiliar external hosts.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by CVE-2025-61932. Organizations should prioritize the following countermeasures:

Apply the official patch released by Motex for Lanscope Endpoint Manager. The patch addresses the improper verification flaw and is available for download from the vendor's advisory page. All versions up to and including 9.4.7.1 are affected and must be updated without delay.

Restrict network access to the Lanscope Endpoint Manager management interface. Ensure that only trusted IP addresses within your organization can communicate with the management ports. Implement firewall rules or network segmentation to prevent unauthorized external access.

Monitor for signs of exploitation by reviewing system and application logs for suspicious activity. Look for indicators such as unexpected process execution, new user accounts, or outbound connections to unknown IP addresses. Utilize endpoint detection and response (EDR) solutions to detect and block malicious behavior.

Follow the guidance provided by CISA and other national cybersecurity authorities. Federal agencies are required to patch by November 12, 2025, under CISA BOD 22-01. All organizations are strongly encouraged to adhere to this timeline.

If compromise is suspected, conduct a thorough forensic investigation, isolate affected systems, and follow your incident response plan. Consider engaging with a trusted cybersecurity partner for assistance.

References

NVD CVE-2025-61932, CISA KEV Catalog Entry, Motex Official Advisory, JPCERT/CC Advisory, cvefeed.io CVE-2025-61932, The Hacker News Coverage, CybersecurityNews Coverage, SecurityOnline.info Coverage, GitHub PoC Example

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, manage compliance, and respond to emerging threats. For more information about how Rescana can help strengthen your organization’s cyber resilience, or for any questions regarding this advisory, please contact us at ops@rescana.com.