You are currently viewing Critical RCE Flaw Hits Motex LANSCOPE, CISA Issues Warning

Critical RCE Flaw Hits Motex LANSCOPE, CISA Issues Warning

  • Post author:
  • Reading time:3 mins read

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-61932, a critical security flaw in Motex LANSCOPE Endpoint Manager, to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. This vulnerability allows remote attackers to execute arbitrary code on affected systems.

Vulnerability Details

  • CVE ID: CVE-2025-61932
  • Description: Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability, allowing an attacker to execute arbitrary code by sending specially crafted packets.
  • CVSS Score: 9.3
  • Affected Components: On-premises versions of Lanscope Endpoint Manager, specifically the Client program and Detection Agent.
  • Cause: Improper verification of the origin of incoming requests.
  • Impact: Successful exploitation could lead to arbitrary code execution on vulnerable systems and the deployment of a backdoor.

Affected Products

The vulnerability affects the following versions:

  • Lanscope Endpoint Manager versions 9.4.7.1 and earlier.

Remediation

The only known solution is to upgrade to one of the patched versions:

  • 9.3.2.7
  • 9.3.3.9
  • 9.4.0.5
  • 9.4.1.5
  • 9.4.2.6
  • 9.4.3.8
  • 9.4.4.6
  • 9.4.5.4
  • 9.4.6.3
  • 9.4.7.3

The vendor highlights that the vulnerability impacts the client side, so customers do not need to upgrade the manager.

Active Exploitation

CISA has added this to the KEV catalog, which means it is actively exploited in the wild. Motex has confirmed that at least one customer received a malicious packet suspected of targeting this vulnerability. Japan’s JPCERT/CC has also acknowledged active abuse, confirming unauthorized packets to certain ports in domestic customer environments after April 2025. It is suspected that the vulnerability is being exploited to drop a backdoor on compromised systems.

TTP Information

  • TA0002 – Execution: The attacker exploits the vulnerability to execute arbitrary code on the target system.
  • T1210 – Exploitation of Remote Services: This technique involves exploiting a vulnerability in a remote service to execute code or perform other actions on a remote system.

CISA Directive

CISA has set a deadline of November 12, 2025, for Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches. Although this directive is specific to U.S. federal agencies, CISA advises that all organizations should remediate this vulnerability as soon as possible.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.