The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Motex Lanscope Endpoint Manager to its Known Exploited Vulnerabilities (KEV) catalog, stating it has been actively exploited in the wild.
The vulnerability, CVE-2025-61932 (CVSS v4 score: 9.3), impacts on-premises versions of Lanscope Endpoint Manager, specifically Client program and Detection Agent, and could allow attackers to execute arbitrary code on susceptible systems.
“Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability, allowing an attacker to execute arbitrary code by sending specially crafted packets,” CISA said.
The flaw impacts versions 9.4.7.1 and earlier. It has been addressed in the versions below –
- 9.3.2.7
- 9.3.3.9
- 9.4.0.5
- 9.4.1.5
- 9.4.2.6
- 9.4.3.8
- 9.4.4.6
- 9.4.5.4
- 9.4.6.3, and
- 9.4.7.3
It’s currently not known how the vulnerability is being exploited in real-world attacks, who is behind them, or the scale of such efforts. However, an alert issued by the Japan Vulnerability Notes (JVN) portal earlier this week noted that Motex has confirmed an unnamed customer “received a malicious packet suspected to target this vulnerability.”
Japan’s JPCERT/CC has also acknowledged active abuse, stating “cases of receiving unauthorized packets to certain ports have been confirmed in domestic customer environments” and that the activity took place after April 2025.
Based on the information provided in the advisory, it appears that the vulnerability is being exploited to drop an unspecified backdoor on compromised systems.
In light of active exploitation efforts, Federal Civilian Executive Branch (FCEB) agencies are recommended to remediate CVE-2025-61932 by November 12, 2025, to safeguard their networks.
