CVE-2025-61932: Critical Lanscope Endpoint Manager Flaw Actively Exploited

Summary

A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-61932, has been discovered in Motex Lanscope Endpoint Manager (on-premises), specifically affecting the Client (MR) and Detection Agent (DA) components. The vulnerability allows unauthenticated remote attackers to execute arbitrary code on vulnerable endpoints by sending specially crafted packets, primarily over TCP port 443.

The flaw has been actively exploited since April 2025, with attackers using malicious payloads to drop backdoors, enabling persistent remote access and control of affected systems. Versions up to 9.4.7.1 are vulnerable, while patched releases have been made available by Motex. The cloud version and the management server are not affected.

Given Lanscope’s widespread use across Japanese enterprises and Asian markets, this vulnerability poses a high operational risk to corporate networks and endpoint fleets.

Vulnerability Details

CVE-2025-61932 stems from improper verification of communication source authenticity in the Lanscope Endpoint Manager. Attackers can exploit this flaw remotely—without authentication—to deliver maliciously crafted communication requests that lead to arbitrary code execution.

Affected Components and Scope

• Product: Motex Lanscope Endpoint Manager (On-Premise)
• Affected Components: Client (MR) and Detection Agent (DA)
• Unaffected Components: Management Server (on-premises) and Cloud Version
• Affected Versions: 9.4.7.1 and earlier
• CWE ID: CWE-940 – Improper Verification of Source of a Communication Channel

Successful exploitation enables attackers to fully compromise vulnerable endpoints, execute arbitrary code, install backdoors, and maintain persistence within enterprise environments.

Exploitation Insights

• First Seen: April 2025
• Exploitation Method: Malicious network packets over TCP port 443
• Observed Behavior: Attackers deploy custom payloads that establish remote access and control mechanisms.
• Impact: Total endpoint compromise, unauthorized persistence, and lateral movement across internal networks.

Recommendations

1. Apply Patches Immediately
   Update Lanscope Endpoint Manager Client (MR) and Detection Agent (DA) components to patched versions 9.3.2.7 through 9.4.7.3 or later, as issued by Motex. These updates remediate the vulnerability exploited in active attacks.
2. Restrict Network Exposure
   Limit external network access to affected clients and agents.
   • Block or monitor incoming connections on TCP port 443 from untrusted sources.
   • Allow communication only between trusted hosts within corporate boundaries.
3. Monitor Network Traffic
   Deploy Intrusion Detection/Prevention Systems (IDS/IPS) to flag anomalous traffic targeting Lanscope clients.
   • Inspect traffic patterns for unexplained packets or repeated connections that may indicate exploitation or C2 communications.
   • Correlate logs for suspicious executable activity tied to the affected modules.
4. Review Endpoint Security
   Conduct comprehensive EDR scans across all endpoints using Lanscope Client or Detection Agent components.
   • Isolate systems exhibiting unauthorized binaries or scripts.
   • Investigate any behavioral anomalies to prevent lateral movement.
5. Reinforce System Hardening
   • Disable unnecessary services and ports on endpoint devices.
   • Restrict administrative privileges to trusted personnel.
   • Maintain network segmentation to contain potential compromise propagation.

Indicators of Compromise (IoCs)

IPv4 Addresses Observed in Exploitation Campaigns:

• 38[.]54[.]56[.]10
• 38[.]60[.]212[.]85
• 108[.]61[.]161[.]118
• 38[.]54[.]56[.]57

• 38[.]54[.]88[.]172

MITRE ATT&CK TTPs

References

• Motex Security Advisory – Lanscope Endpoint Manager Patch Release (October 2025)
• JPCERT/CC Newsflash – CVE-2025-61932 Exploitation Alert
• JVN – JVN#86318557: Lanscope Endpoint Manager Vulnerability Details

• MITRE ATT&CK Techniques, T1203, T1071.001, T1068