CVE-2025-61932: Critical Lanscope Endpoint Manager Vulnerability Actively Exploited in Cyberattacks, CISA Warns
- Rescana
- 4 minutes ago
- 5 min read

Executive Summary
A critical vulnerability has been identified in LANSCOPE Endpoint Manager by Motex, tracked as CVE-2025-61932, which is currently being exploited in active cyberattacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed ongoing exploitation and added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgent need for immediate remediation. This vulnerability enables unauthenticated remote code execution (RCE) on affected endpoints, allowing attackers to gain high-level privileges without any user interaction. The attack vector leverages specially crafted network packets, making exploitation trivial for threat actors with network access. Organizations using vulnerable versions of LANSCOPE Endpoint Manager are at significant risk of compromise, data exfiltration, and lateral movement within their environments. Immediate patching and enhanced monitoring are strongly advised.
Threat Actor Profile
At this time, there is no public attribution of the ongoing attacks exploiting CVE-2025-61932 to any specific advanced persistent threat (APT) group, cybercriminal syndicate, or nation-state actor. The exploitation pattern, however, is consistent with both opportunistic and targeted campaigns, as the vulnerability requires no authentication and can be leveraged remotely. The lack of a requirement for user interaction or credentials lowers the barrier to entry, making this bug attractive to a wide spectrum of threat actors, including ransomware operators, initial access brokers, and state-sponsored groups seeking to establish persistent access within enterprise networks. The rapid inclusion of this vulnerability in the CISA KEV catalog suggests that exploitation is widespread and not limited to a single threat group or region.
Technical Analysis of Malware/TTPs
CVE-2025-61932 is a critical remote code execution vulnerability affecting the Client Program (MR) and Detection Agent (DA) components of the on-premise edition of LANSCOPE Endpoint Manager. The root cause is improper verification of the source of communication channels, specifically a failure to authenticate or validate incoming network packets. An attacker can craft a malicious packet and send it to a vulnerable endpoint, triggering a flaw in the MR client or DA agent that results in arbitrary code execution with SYSTEM or equivalent privileges.
The attack does not require any user interaction, such as clicking a link or opening a file, nor does it require prior authentication or access to the target system. The exploit can be delivered over the network, making it suitable for both internal and external attackers, depending on network exposure. Once exploited, the attacker can execute any command or payload, including deploying malware, establishing persistence, or moving laterally within the network.
Technical indicators of exploitation include anomalous network traffic directed at the MR or DA components, unexpected process creation, and privilege escalation events on affected endpoints. No public proof-of-concept (PoC) exploit code has been released as of this writing, but the simplicity of the attack vector suggests that weaponized exploits are likely to proliferate rapidly.
The vulnerability aligns with the following MITRE ATT&CK techniques: T1210 (Exploitation of Remote Services), as attackers exploit a network service to gain code execution, and T1190 (Exploit Public-Facing Application), if the endpoint is exposed to the internet or untrusted networks.
Exploitation in the Wild
Active exploitation of CVE-2025-61932 has been confirmed by both CISA and the Japan Vulnerability Notes (JVN). At least one Motex customer has been targeted with malicious packets exploiting this flaw, and additional exploit attempts have been observed in the wild. The attack surface is limited to the on-premise edition of LANSCOPE Endpoint Manager; the cloud edition is not affected.
Attackers are leveraging the vulnerability to gain immediate, high-privilege access to endpoints running vulnerable versions. The exploitation does not require any social engineering or phishing, making detection more challenging and increasing the risk of widespread compromise. The lack of specific indicators such as file hashes or command-and-control infrastructure suggests that attackers may be using custom payloads or living-off-the-land techniques post-exploitation.
Organizations with exposed or internet-accessible LANSCOPE Endpoint Manager agents are at heightened risk, but internal attackers or compromised devices within the network can also exploit the flaw. The speed with which this vulnerability has been weaponized highlights the critical importance of rapid patching and network segmentation.
Victimology and Targeting
The primary victims are organizations using the on-premise edition of LANSCOPE Endpoint Manager, particularly those running versions 9.4.7.1 and earlier. The product is widely deployed in enterprise environments, especially in Japan and Asia-Pacific, but is also present in global organizations with distributed IT operations.
There is no evidence to suggest that exploitation is limited to a specific sector or geography. Given the nature of the vulnerability, any organization with vulnerable endpoints is a potential target. The lack of authentication and user interaction requirements means that both targeted and opportunistic attacks are feasible. Sectors with high regulatory requirements, such as finance, healthcare, and critical infrastructure, should consider themselves at elevated risk due to the potential for data theft, operational disruption, and regulatory non-compliance.
Mitigation and Countermeasures
Immediate action is required to mitigate the risk posed by CVE-2025-61932. Organizations must update all on-premise LANSCOPE Endpoint Manager clients, specifically the MR and DA components, to the latest patched versions. The unaffected versions are 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. The patch process is identical to a standard software upgrade for these components and does not require an upgrade of the management console.
In addition to patching, organizations should implement network segmentation to restrict access to LANSCOPE Endpoint Manager agents, monitor for anomalous network traffic directed at MR and DA components, and review endpoint logs for signs of unauthorized code execution or privilege escalation. Enhanced detection rules should be deployed to identify suspicious process creation and network activity associated with exploitation attempts.
Organizations should also review their exposure of management interfaces and agents to untrusted networks, ensuring that only authorized and authenticated users can access these services. Where possible, implement application whitelisting and endpoint detection and response (EDR) solutions to detect and block post-exploitation activity.
Given the active exploitation and critical severity, organizations should treat this vulnerability as a top priority and complete remediation as soon as possible. Failure to do so may result in compromise, data loss, and regulatory penalties.
References
CISA Alert: CISA Adds One Known Exploited Vulnerability to Catalog (CVE-2025-61932): https://www.cisa.gov/news-events/alerts/2025/10/22/cisa-adds-one-known-exploited-vulnerability-catalog
The Hacker News: Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Cyberattacks, CISA Confirms: https://thehackernews.com/2025/10/critical-lanscope-endpoint-manager-bug.html
Japan Vulnerability Notes (JVN) – Motex LANSCOPE Advisory: https://jvn.jp/en/
CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
NVD Entry for CVE-2025-61932: https://nvd.nist.gov/vuln/detail/CVE-2025-61932
Motex Vendor Advisory (JP): https://www.motex.co.jp/news/notice/2025/release251020/
About Rescana
Rescana is a leader in third-party risk management (TPRM) and cyber risk intelligence, providing organizations with advanced tools to identify, assess, and mitigate cyber threats across their digital supply chains. Our platform delivers actionable insights and continuous monitoring to help organizations stay ahead of emerging vulnerabilities and regulatory requirements. For more information about how Rescana can help you strengthen your cyber resilience, we are happy to answer questions at ops@rescana.com.