CISA Adds Actively Exploited Motex LANSCOPE RCE Flaw to KEV Catalog

CISA Adds Critical Motex LANSCOPE Endpoint Manager Vulnerability (CVE-2025-61932) to KEV Catalog Amid Active Exploitation

CRITICAL
October 28, 2025
4m read
VulnerabilityPatch ManagementCyberattack

Related Entities

Organizations

U.S. Cybersecurity and Infrastructure Security Agency (CISA) MotexJPCERT/CCJapan Vulnerability Notes (JVN)

Products & Tech

LANSCOPE Endpoint Manager

CVE Identifiers

CVE-2025-61932
CRITICAL
CVSS:9.3
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1210Lateral Movement

Exploitation of Remote Services

T1068Privilege Escalation

Exploitation for Privilege Escalation

T1105Command and Control

Ingress Tool Transfer

T1547.001Persistence

Registry Run Keys / Startup Folder

Full Report

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive for federal agencies to patch a critical, actively exploited vulnerability in Motex's LANSCOPE Endpoint Manager. The vulnerability, tracked as CVE-2025-61932, has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog due to evidence of in-the-wild attacks. The flaw, with a CVSS v4 score of 9.3, allows an unauthenticated, remote attacker to execute arbitrary code on systems running the LANSCOPE agent. Reports from Japan's JPCERT/CC and Motex confirm that attackers are targeting the flaw to deploy backdoors, prompting CISA to set a remediation deadline of November 12, 2025, for federal agencies.

Vulnerability Details

The vulnerability exists in the on-premises versions of LANSCOPE Endpoint Manager, specifically affecting the Client Program (MR) and Detection Agent (DA) components. It is described as an 'improper verification of source of a communication channel.' This allows a remote attacker on the same network segment to send specially crafted network packets to a listening port on an endpoint with the LANSCOPE agent installed. Successful exploitation results in the execution of arbitrary code with the privileges of the agent, which are typically elevated.

Affected Systems

The vulnerability affects the following on-premises products:

  • LANSCOPE Endpoint Manager Client Program (MR): Versions 9.4.7.1 and earlier
  • LANSCOPE Endpoint Manager Detection Agent (DA): Versions 9.4.7.1 and earlier

Motex has released several patched versions to address the issue, and customers are urged to upgrade.

Exploitation Status

Active exploitation has been confirmed, primarily in Japan. Japan's JPCERT/CC and the JVN portal reported that malicious packets targeting the vulnerability were observed in domestic customer environments starting after April 2025. Motex also confirmed at least one customer received a malicious packet suspected of exploiting this flaw. The goal of the observed attacks is to install an unspecified backdoor on the compromised endpoint, providing the attacker with persistent remote access (T1505.003 - Web Shell). The addition to the CISA KEV catalog on October 22, 2025, underscores the seriousness and ongoing nature of the threat.

Impact Assessment

Compromising an endpoint management solution like LANSCOPE provides a powerful foothold within a network.

  • Privilege Escalation & Lateral Movement: An attacker can use the initial compromise to escalate privileges on the endpoint and move laterally to other systems in the network.
  • Widespread Compromise: If the management server itself can be compromised from an endpoint, the attacker could potentially push malicious software to all managed devices.
  • Data Theft and Espionage: The installed backdoor can be used to exfiltrate sensitive data or conduct long-term espionage.

Cyber Observables for Detection

Type Value Description
network_traffic_pattern Inbound traffic to LANSCOPE agent ports Monitor for unexpected or malformed packets sent to the ports used by the LANSCOPE MR and DA agents from unusual source IPs on the LAN.
process_name LANSCOPE agent process (dtagent.exe, etc.) Monitor the agent process for suspicious child processes (e.g., powershell.exe, cmd.exe) or anomalous network activity.
file_name Unrecognized executables in temp directories Look for newly created executable or script files dropped by the exploit, which would constitute the backdoor.

Detection Methods

  • Vulnerability Scanning: Use authenticated scans to identify endpoints running vulnerable versions of the LANSCOPE agent.
  • Network Monitoring: Deploy network intrusion detection systems (NIDS) with signatures to detect the specific malicious packets used in the exploit.
  • Endpoint Detection and Response (EDR): Use EDR to monitor the behavior of the LANSCOPE agent processes. Alert on any anomalous behavior, such as spawning shells, writing new executables to disk, or making outbound connections to unknown C2 servers.
  • D3FEND Techniques: Employ D3-NTA: Network Traffic Analysis to spot the malicious packets and D3-PA: Process Analysis to detect anomalous agent behavior.

Remediation Steps

  1. Patch Immediately: The primary remediation is to upgrade all LANSCOPE agents and management servers to the latest patched versions provided by Motex.
  2. Network Segmentation: As a compensating control, limit network access to the ports used by the LANSCOPE agents. Ensure that only the management server can communicate with the agents on these ports and that endpoints cannot communicate with each other on them.
  3. Threat Hunting: Proactively hunt for signs of compromise on systems running vulnerable versions, looking for suspicious files, processes, and network connections.
  4. D3FEND Countermeasures:

Timeline of Events

1
April 1, 2025
Active abuse of CVE-2025-61932 reportedly began after this date in Japan.
2
October 22, 2025
CISA adds CVE-2025-61932 to its KEV catalog.
3
October 28, 2025
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Applying the patches from Motex is the most effective way to remediate the vulnerability.

Mapped D3FEND Techniques:

D3-SU

Filter Network Traffic

M1037enterprise

Use host-based firewalls to restrict communication to the vulnerable agent ports to only trusted management servers.

Mapped D3FEND Techniques:

D3-ITF

Antivirus/Antimalware

M1049enterprise

EDR and antivirus solutions can detect and block the backdoor payload and anomalous agent behavior.

Mapped D3FEND Techniques:

D3-PA

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The definitive countermeasure for CVE-2025-61932 is to apply the security updates provided by Motex. Organizations using LANSCOPE Endpoint Manager must prioritize the deployment of the patched versions for both the Client Program (MR) and the Detection Agent (DA). Given that this is an endpoint agent, deployment should be managed centrally through the LANSCOPE console. Due to the 'critical' severity and active exploitation, this should be treated as an emergency change. Asset inventory systems should be used to track the versions of all installed agents to ensure complete remediation and identify any devices that failed to update.

Inbound Traffic Filtering

D3-ITFMaps to MITREM1037
D3FEND

As a powerful compensating control, organizations should use Inbound Traffic Filtering on host-based firewalls to protect the vulnerable LANSCOPE agents. The vulnerability allows an attacker on the same network segment to communicate with the agent. To mitigate this, configure the firewall on each endpoint to only allow inbound connections to the specific LANSCOPE service ports from the IP address(es) of the LANSCOPE management server(s). All other inbound traffic to these ports from other endpoints or network segments should be blocked. This effectively prevents lateral movement attempts to exploit this vulnerability and contains the risk, even on unpatched systems.

Sources & References

CVE-2025-61932 Exploitation: A New Critical Motex LANSCOPE Endpoint Manager Vulnerability Used in Real-World Attacks
SOC Prime (socprime.com) October 27, 2025
Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Cyberattacks, CISA Confirms
The Hacker News (thehackernews.com) October 23, 2025
CISA Flags Critical Lanscope Bug
eSecurity Planet (esecurityplanet.com) October 23, 2025
CVE‑2025‑61932: Critical Lanscope Endpoint Manager Flaw Actively Exploited
Hive Pro (hive-pro.com) October 28, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CISAKEVMotexLANSCOPEVulnerabilityRCEEndpoint Security

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next