CISA Adds Actively Exploited Motex LANSCOPE RCE Flaw to KEV Catalog

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive for federal agencies to patch a critical, actively exploited vulnerability in Motex's LANSCOPE Endpoint Manager. The vulnerability, tracked as CVE-2025-61932, has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog due to evidence of in-the-wild attacks. The flaw, with a CVSS v4 score of 9.3, allows an unauthenticated, remote attacker to execute arbitrary code on systems running the LANSCOPE agent. Reports from Japan's JPCERT/CC and Motex confirm that attackers are targeting the flaw to deploy backdoors, prompting CISA to set a remediation deadline of November 12, 2025, for federal agencies.

Vulnerability Details

The vulnerability exists in the on-premises versions of LANSCOPE Endpoint Manager, specifically affecting the Client Program (MR) and Detection Agent (DA) components. It is described as an 'improper verification of source of a communication channel.' This allows a remote attacker on the same network segment to send specially crafted network packets to a listening port on an endpoint with the LANSCOPE agent installed. Successful exploitation results in the execution of arbitrary code with the privileges of the agent, which are typically elevated.

Affected Systems

The vulnerability affects the following on-premises products:

LANSCOPE Endpoint Manager Client Program (MR): Versions 9.4.7.1 and earlier
LANSCOPE Endpoint Manager Detection Agent (DA): Versions 9.4.7.1 and earlier

Motex has released several patched versions to address the issue, and customers are urged to upgrade.

Exploitation Status

Active exploitation has been confirmed, primarily in Japan. Japan's JPCERT/CC and the JVN portal reported that malicious packets targeting the vulnerability were observed in domestic customer environments starting after April 2025. Motex also confirmed at least one customer received a malicious packet suspected of exploiting this flaw. The goal of the observed attacks is to install an unspecified backdoor on the compromised endpoint, providing the attacker with persistent remote access (T1505.003 - Web Shell). The addition to the CISA KEV catalog on October 22, 2025, underscores the seriousness and ongoing nature of the threat.

Impact Assessment

Compromising an endpoint management solution like LANSCOPE provides a powerful foothold within a network.

Privilege Escalation & Lateral Movement: An attacker can use the initial compromise to escalate privileges on the endpoint and move laterally to other systems in the network.
Widespread Compromise: If the management server itself can be compromised from an endpoint, the attacker could potentially push malicious software to all managed devices.
Data Theft and Espionage: The installed backdoor can be used to exfiltrate sensitive data or conduct long-term espionage.

Cyber Observables for Detection

Type	Value	Description
network_traffic_pattern	Inbound traffic to LANSCOPE agent ports	Monitor for unexpected or malformed packets sent to the ports used by the LANSCOPE MR and DA agents from unusual source IPs on the LAN.
process_name	LANSCOPE agent process (`dtagent.exe`, etc.)	Monitor the agent process for suspicious child processes (e.g., `powershell.exe`, `cmd.exe`) or anomalous network activity.
file_name	Unrecognized executables in temp directories	Look for newly created executable or script files dropped by the exploit, which would constitute the backdoor.

Detection Methods

Vulnerability Scanning: Use authenticated scans to identify endpoints running vulnerable versions of the LANSCOPE agent.
Network Monitoring: Deploy network intrusion detection systems (NIDS) with signatures to detect the specific malicious packets used in the exploit.
Endpoint Detection and Response (EDR): Use EDR to monitor the behavior of the LANSCOPE agent processes. Alert on any anomalous behavior, such as spawning shells, writing new executables to disk, or making outbound connections to unknown C2 servers.
D3FEND Techniques: Employ D3-NTA: Network Traffic Analysis to spot the malicious packets and D3-PA: Process Analysis to detect anomalous agent behavior.

Remediation Steps

Patch Immediately: The primary remediation is to upgrade all LANSCOPE agents and management servers to the latest patched versions provided by Motex.
Network Segmentation: As a compensating control, limit network access to the ports used by the LANSCOPE agents. Ensure that only the management server can communicate with the agents on these ports and that endpoints cannot communicate with each other on them.
Threat Hunting: Proactively hunt for signs of compromise on systems running vulnerable versions, looking for suspicious files, processes, and network connections.
D3FEND Countermeasures:
- The definitive fix is D3-SU: Software Update.
- D3-ITF: Inbound Traffic Filtering on host-based firewalls can help restrict communication to the vulnerable agent ports.

CISA Adds Actively Exploited Motex LANSCOPE RCE Flaw to KEV Catalog

CISA Adds Actively Exploited Motex LANSCOPE RCE Flaw to KEV Catalog

CISA Adds Critical Motex LANSCOPE Endpoint Manager Vulnerability (CVE-2025-61932) to KEV Catalog Amid Active Exploitation

Related Entities(initial)

Organizations

Products & Tech

CVE Identifiers

MITRE ATT&CK Techniques

Exploitation for Privilege Escalation

Ingress Tool Transfer

Exploitation of Remote Services

Registry Run Keys / Startup Folder

Full Report(when first published)

Executive Summary

Vulnerability Details

Affected Systems

Exploitation Status

Impact Assessment

Cyber Observables for Detection

Detection Methods

Remediation Steps

Timeline of Events

Article Updates

November 2, 2025

Update Sources:

Sources & References(when first published)

Article Author

Jason Gomes

Tags

📢 Share This Article

Continue Reading