CVE-2025-61932 is a critical remote code execution (RCE) vulnerability in the on-premise version of Motex LANSCOPE Endpoint Manager that is being actively exploited in the wild.
The flaw allows unauthenticated attackers to execute arbitrary code on vulnerable endpoints by sending specially crafted packets.
Vulnerability details
- Vulnerable software: Motex LANSCOPE Endpoint Manager (on-premises).
- Affected versions: All versions up to and including 9.4.7.1.
- Affected components: The Client Program (MR) and Detection Agent (DA) components. The management server and cloud version of the product are not affected.
- Attack vector: The vulnerability, classified as a CWE-940 (Improper Verification of Source of a Communication Channel), allows an attacker to send malicious network packets to a vulnerable endpoint. This can be done remotely without authentication and potentially via exposed management ports such as TCP port 443.
- Severity: This is a critical vulnerability with a CVSS score of 9.8 (CVSS v3.x) and 9.3 (CVSS v4.0), according to security advisories.
Threat and exploitation
- Active exploitation: Since being identified around April 2025, the vulnerability has been actively exploited.
- Attacker activity: Threat actors are conducting internet-wide scans to find vulnerable LANSCOPE instances.
- Observed impact: Confirmed exploitation by security agencies like CISA and JPCERT/CC suggests attackers can gain full control of endpoints. Exploitation may be used to drop backdoors for persistent access, facilitate lateral movement within the network, and exfiltrate data.
- Threat actors: While no specific group has been officially named, the exploitation tactics are consistent with both financially motivated cybercriminals and state-sponsored actors.
Mitigation and remediation
- Immediate patching: Motex has released patches for the vulnerability. All affected Client (MR) and Detection Agent (DA) components should be updated immediately to a patched version or newer.
- Network restrictions: If immediate patching is not possible, restrict network access to affected endpoints. Block external connections on ports like TCP 443 and ensure communication is limited to trusted hosts.
- Enhanced monitoring: Monitor network traffic for anomalous connections, review logs for suspicious activity, and perform endpoint scans to detect unauthorized binaries.
- Federal mandate: CISA has added this CVE to its Known Exploited Vulnerabilities catalog, requiring U.S. federal agencies to patch by November 12, 2025.