CVE-2025-61932 Exploitation: A New Critical Motex LANSCOPE Endpoint Manager Vulnerability Used in Real-World Attacks
In the wake of confirmed exploits targeting two Microsoft Edge zero-days, CVE-2025-59230 and CVE-2025-24990, yet another critical vulnerability has come into the spotlight, now listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. Identified as CVE-2025-61932, the newly discovered critical vulnerability impacts Motex LANSCOPE Endpoint Manager and is being weaponized in real-world attacks.
With over 40,000 new CVEs already logged by NIST this year, cybersecurity teams face mounting pressure to stay ahead. Vulnerability exploitation remains the leading attack vector, and as cyber threats grow more sophisticated, proactive detection is essential to reducing the attack surface and mitigating risk.
Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.
Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.
CVE-2025-61932 Analysis
A new critical vulnerability, tracked as CVE-2025-61932 with a CVSS v4 score of 9.3, affects on-premises instances of Motex LANSCOPE Endpoint Manager, particularly the Client Program and Detection Agent components.
The flaw has been recently added to CISA’s KEV catalog, following the reports of its active exploitation in in-the-wild attacks. The authoring agency has stated that Motex LANSCOPE Endpoint Manager suffers from insufficient verification of communication channel sources, which could give adversaries the green light to remotely execute arbitrary code by sending specially crafted network packets.
The vulnerability affects Lanscope Endpoint Manager versions 9.4.7.1 and earlier and has been patched in the 9.3.2.7, 9.3.3.9, and 9.4.0.5–9.4.7.3 releases. It remains unclear how the flaw is being exploited in real-world scenarios, who is responsible, or the extent of the attacks. However, a Japan Vulnerability Notes (JVN) advisory issued earlier this week revealed that Motex confirmed at least one customer had received a malicious packet suspected of targeting this vulnerability.
Additionally, Japan’s JPCERT/CC reported evidence of active exploitation, noting that unauthorized packets were observed targeting specific ports in domestic customer environments starting after April 2025. Based on available information, the vulnerability is likely being leveraged to deploy an unidentified backdoor on affected systems.
As potential CVE-2025-61932 mitigation measures, given its ongoing exploitation, FCEB agencies have been urged to patch the flaw by November 12, 2025, to protect their networks from potential compromise. Enhancing proactive cyber defense strategies is crucial for organizations to effectively and promptly reduce the risks of vulnerability exploitation. By leveraging SOC Prime’s complete product suite for enterprise-ready security protection backed by top cybersecurity expertise and AI, and built on zero-trust milestones, global organizations can future-proof defenses at scale and strengthen their cybersecurity posture.
