CISA Adds Actively Exploited Motex LANSCOPE RCE Flaw to KEV Catalog

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive for federal agencies to patch a critical, actively exploited vulnerability in Motex's LANSCOPE Endpoint Manager. The vulnerability, tracked as CVE-2025-61932, has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog due to evidence of in-the-wild attacks. The flaw, with a CVSS v4 score of 9.3, allows an unauthenticated, remote attacker to execute arbitrary code on systems running the LANSCOPE agent. Reports from Japan's JPCERT/CC and Motex confirm that attackers are targeting the flaw to deploy backdoors, prompting CISA to set a remediation deadline of November 12, 2025, for federal agencies.

Vulnerability Details

The vulnerability exists in the on-premises versions of LANSCOPE Endpoint Manager, specifically affecting the Client Program (MR) and Detection Agent (DA) components. It is described as an 'improper verification of source of a communication channel.' This allows a remote attacker on the same network segment to send specially crafted network packets to a listening port on an endpoint with the LANSCOPE agent installed. Successful exploitation results in the execution of arbitrary code with the privileges of the agent, which are typically elevated.

Affected Systems

The vulnerability affects the following on-premises products:

LANSCOPE Endpoint Manager Client Program (MR): Versions 9.4.7.1 and earlier
LANSCOPE Endpoint Manager Detection Agent (DA): Versions 9.4.7.1 and earlier

Motex has released several patched versions to address the issue, and customers are urged to upgrade.

Exploitation Status

Active exploitation has been confirmed, primarily in Japan. Japan's JPCERT/CC and the JVN portal reported that malicious packets targeting the vulnerability were observed in domestic customer environments starting after April 2025. Motex also confirmed at least one customer received a malicious packet suspected of exploiting this flaw. The goal of the observed attacks is to install an unspecified backdoor on the compromised endpoint, providing the attacker with persistent remote access (T1505.003 - Web Shell). The addition to the CISA KEV catalog on October 22, 2025, underscores the seriousness and ongoing nature of the threat.

Impact Assessment

Compromising an endpoint management solution like LANSCOPE provides a powerful foothold within a network.

Privilege Escalation & Lateral Movement: An attacker can use the initial compromise to escalate privileges on the endpoint and move laterally to other systems in the network.
Widespread Compromise: If the management server itself can be compromised from an endpoint, the attacker could potentially push malicious software to all managed devices.
Data Theft and Espionage: The installed backdoor can be used to exfiltrate sensitive data or conduct long-term espionage.

Cyber Observables for Detection

Type

network_traffic_pattern

Value

Inbound traffic to LANSCOPE agent ports

Description

Monitor for unexpected or malformed packets sent to the ports used by the LANSCOPE MR and DA agents from unusual source IPs on the LAN.

Type

process_name

Value

LANSCOPE agent process (dtagent.exe, etc.)

Description

Monitor the agent process for suspicious child processes (e.g., powershell.exe, cmd.exe) or anomalous network activity.

Type

file_name

Value

Unrecognized executables in temp directories

Description

Look for newly created executable or script files dropped by the exploit, which would constitute the backdoor.

Detection Methods

Vulnerability Scanning: Use authenticated scans to identify endpoints running vulnerable versions of the LANSCOPE agent.
Network Monitoring: Deploy network intrusion detection systems (NIDS) with signatures to detect the specific malicious packets used in the exploit.
Endpoint Detection and Response (EDR): Use EDR to monitor the behavior of the LANSCOPE agent processes. Alert on any anomalous behavior, such as spawning shells, writing new executables to disk, or making outbound connections to unknown C2 servers.
D3FEND Techniques: Employ D3-NTA: Network Traffic Analysis to spot the malicious packets and D3-PA: Process Analysis to detect anomalous agent behavior.

Remediation Steps

Patch Immediately: The primary remediation is to upgrade all LANSCOPE agents and management servers to the latest patched versions provided by Motex.
Network Segmentation: As a compensating control, limit network access to the ports used by the LANSCOPE agents. Ensure that only the management server can communicate with the agents on these ports and that endpoints cannot communicate with each other on them.
Threat Hunting: Proactively hunt for signs of compromise on systems running vulnerable versions, looking for suspicious files, processes, and network connections.
D3FEND Countermeasures:
- The definitive fix is D3-SU: Software Update.
- D3-ITF: Inbound Traffic Filtering on host-based firewalls can help restrict communication to the vulnerable agent ports.

CISA Adds Critical Motex LANSCOPE Endpoint Manager Vulnerability (CVE-2025-61932) to KEV Catalog Amid Active Exploitation