Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

RCE in MOTEX LANSCOPE Endpoint Manager On-Premises MR/DA

IdentifiersCVE-2025-61932CWE-940· Improper Verification of Source of…

CVE-2025-61932 is a critical remote code execution vulnerability in MOTEX LANSCOPE Endpoint Manager (On-Premises), affecting the Client program (MR) and Detection agent (DA). The flaw is caused by improper verification of the source/origin of a communication channel or incoming requests. An unauthenticated remote attacker can send specially crafted packets, including traffic to TCP port 443 as reported in multiple sources, to a vulnerable MR or DA component and trigger arbitrary code execution. Vendor and third-party reporting indicate affected versions include 9.4.7.1 and earlier, with some reporting describing exposure through 9.4.7.2 and earlier; the cloud/SaaS version is stated to be unaffected. Multiple reports further state exploitation can result in execution with SYSTEM privileges.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated remote code execution on vulnerable LANSCOPE Endpoint Manager on-premises endpoints. Reporting indicates attackers can execute arbitrary commands/code with SYSTEM privileges, enabling full compromise of the affected host, deployment of backdoors, credential and directory data collection, lateral movement, persistence, and data theft. The vulnerability has been reported as actively exploited in the wild, including as a zero-day in campaigns attributed to Bronze Butler/Tick targeting organizations in Japan.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of MR and DA components to untrusted networks, especially the Internet, and restrict access to the affected service/port (reported as TCP 443 in exploitation reporting) using firewalls, ACLs, VPN-only access, or network segmentation. Review whether internet-facing LANSCOPE systems with MR/DA installed need to be publicly exposed at all. Monitor for suspicious packets and investigate for signs of compromise or backdoor activity using vendor/JPCERT/CC guidance and published indicators. However, available reporting indicates patching/upgrading is the primary and most reliable mitigation, and some sources state no effective workaround exists beyond applying the fix.

Remediation

Patch, then assume compromise.

Apply MOTEX-provided fixed versions for the affected MR/DA components. Reported fixed versions include 9.4.7.3, 9.4.6.3, 9.4.5.4, 9.4.4.6, 9.4.3.8, 9.4.2.6, 9.4.1.5, 9.4.0.5, 9.3.3.9, and 9.3.2.7, depending on the deployed branch. Vendor reporting indicates the management server component does not require upgrade for this issue, while affected client-side MR/DA components do. Organizations should update all affected client PCs/endpoints and validate that internet-exposed vulnerable components are no longer running unpatched versions.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
MotexLanscope Endpoint Managerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

95 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

95 SOURCESView more in app
dark readingNews
Nov 6, 2025
APT 'Bronze Butler' Exploits Zero-Day to Root Japan Orgs

A critical pre-auth remote code execution and privilege escalation issue in Motex Lanscope (on-prem endpoint management platform) caused by missing request origin/legitimacy validation, insufficient barriers to prevent arbitrary code execution, and a missing privilege check—enabling attackers to execute code with system-level privileges across managed endpoints.

Read more
bleeping computerNews
Nov 1, 2025
China-linked hackers exploited Lanscope flaw as a zero-day in attacks

A critical request origin verification flaw in Motex Lanscope Endpoint Manager (<= 9.4.7.2) that allows unauthenticated remote code execution with SYSTEM privileges via specially crafted packets; used as a zero-day by the China-linked Bronze Butler (Tick) group to deploy Gokcpdoor malware.

Read more
ctoatncsc substackNews
Nov 1, 2025
CTO at NCSC Summary: week ending November 2nd

A remote command execution vulnerability that yields SYSTEM-level command execution; used for initial access and potentially for privilege escalation/lateral movement inside networks.

Read more
the hacker newsNews
Oct 31, 2025
China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems

A critical remote command execution vulnerability in on-premise Motex Lanscope Endpoint Manager that allows remote attackers to execute arbitrary commands with SYSTEM privileges.

Read more
+7 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence6

Every observed campaign linking this CVE to a named adversary.

Associated malware10

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity83

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-61932
NVD
nvd.nist.gov/vuln/detail/CVE-2025-61932
MITRE CWE · CWE-940
Improper Verification of Source of a…
Vendor Advisory
motex.co.jp/news/notice/2025/release251020
Third Party Advisory
jvn.jp/en/jp/JVN86318557
Third Party Advisory
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61932