The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert regarding a newly discovered vulnerability in the Lanscope Endpoint Manager developed by Japanese firm Motex (a subsidiary of Kyocera Communication Systems). The issue, tracked as CVE‑2025‑61932 with a CVSS 9.3 rating, is already confirmed to be exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities catalog.
Remote Code Execution Flaw Allows Arbitrary Code via Crafted Packets
The vulnerability stems from improper verification of the source of incoming communication in the Lanscope Client and Detection Agent components. An unauthenticated attacker can exploit this weakness by sending specially crafted network packets to affected endpoints, causing arbitrary code execution under the system context. Evidence from Motex indicates some customer environments already received malicious packets, and Japan’s CERT (JPCERT/CC) has acknowledged active domestic abuse of the flaw.
Affected versions include all on-premises Lanscope Endpoint Manager versions 9.4.7.1 and earlier; Motex has released patched versions spanning 9.3.2.7 through 9.4.7.3. Importantly, Motex confirms that only the client installation requires updating, and the central management server version does not need simultaneous upgrading.
“A vulnerability exists in the Endpoint Manager On-Premises client program (hereafter referred to as MR) and the Detection Agent … that allows remote code execution.”
— Motex security bulletin
Exploitation Confirmed — Federal Agencies Given Rapid Remediation Deadline
CISA’s decision to list CVE-2025-61932 in its KEV catalog indicates confirmed exploitation by threat actors, a major signal that agencies and companies must act immediately. Under the Binding Operational Directive 22-01, U.S. federal civilian agencies have until November 12, 2025 to identify and patch vulnerable Lanscope deployments. The share of exploitation tactics includes delivering payloads designed to persist and escalate privileges.
Adversaries targeting Lanscope could gain broad access to managed desktops and mobile devices, enabling credential theft, lateral movement, and deployment of additional malware or ransomware. Endpoint management platforms like Lanscope often have privileged network access, making them high-value escalation targets.
Tradecraft and Attack Scope Highlight Multifactor Threat Chain
While detailed indicators remain scarce, researchers outline the likely attack chain:
- Initial access: attacker reaches exposed or compromised management endpoint running Lanscope Agent.
- Exploitation: crafted packet triggers RCE via CVE-2025-61932 (mapped to ATT&CK T1203 or T1210).
- Execution: payload implants as a service or scheduled task, often disguised under legitimate Lanscope nomenclature.
- Persistence & privilege escalation: Heavy privileges tied to endpoint manager agent permit escalation (T1055, T1543).
- Lateral movement and C2: attacker uses internal trust to pivot; encrypted outbound connections pass through compromised endpoints to hide exfiltration (T1021, T1071).
Because Lanscope is widely deployed across Japan and Asia, and often in enterprise mobility and desktop management environments, the geographic footprint of exposure is significant. Organizations in North America, Europe and beyond also use the software via AWS-hosted or hybrid installations and thus face global risk.
Urgent Mitigation and Defence Measures Organizations Must Implement
Security teams are advised to take the following steps:
- Patch immediately: Upgrade Lanscope Client and Detection Agent to version 9.4.7.3 or higher (earlier patched versions apply).
- Limit exposure: Remove public internet access to Lanscope Agent ports; ensure agents whitelist trusted update servers.
- Monitor anomalous network traffic: Look for persistent outbound TLS or unusual port activity from Lanscope agents.
- Audit recent changes and service accounts: Inspect for new or modified scheduled tasks tied to Lanscope; validate credential hygiene.
- Segment management traffic: Place agent-server communication on isolated VLANs; apply zero-trust principles to endpoint management flows.
- Hunt for artifacts: Search for unknown running processes matching Lanscope binary naming, detect new COM registrations or unexpected DLL loads.
Even as patching remains the primary remediation path, enhanced monitoring and access control are crucial given the speed of exploitation. Endpoint management platforms represent a potent attack surface because they operate with elevated privileges and trusted network access.
