Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact
Vulnerability Campaign Security Patch Release

Motex Lanscope exploitation, backdoor activity, and remediation

Updated 06.11.2025 04:00
Case score 64
Case score 64 Members 3 Latest activity 06.11.2025 04:00
Active exploitation KEV: CISA KEV Patch available CVSS: 9.8 Critical
Members 3 First seen 23.10.2025 08:37 Last seen 06.11.2025 04:00 Updated 06.11.2025 04:00

Overview

Attackers are exploiting **CVE-2025-61932** in **Motex Lanscope Endpoint Manager** on-premises systems to run commands with **SYSTEM** privileges and plant backdoors. **JPCERT/CC** confirmed active abuse, and the available evidence ties the activity to **Tick/Bronze Butler** tooling such as **Gokcpdoor**, **Havoc**, **DLL side-loading**, and **OAED Loader**. **Motex** released fixed builds for the affected **Client program** and **Detection Agent** versions, while **CISA** added the flaw to **KEV** and set a **November 12, 2025** remediation deadline for Federal Civilian Executive Branch agencies. Available evidence does not quantify the full reach or identify every affected organization.

Signals

11 derived
Exploitation
Exploitation Active exploitation CVSS 9.8 Critical
CVEs/products
CVE
Victims/regions
Victim region United States
Remediation
KEV CISA KEV Urgency High Remediation Patch available
Status
Campaign status Active
Threat context
Malware Tooling Actor BRONZE BUTLER

Malware context

1 families · 4 tools
Tools
Havoc 7-Zip goddi Remote Desktop

Member happenings

3 related
Vulnerability Motex Lanscope Endpoint Manager actively exploited source verification RCE (CVE-2025-61932)
Updated 23.10.2025 08:37 Lead Contribution 61
Exploitation Active Exploitation CVSS 9.8 Critical Patch Patch Available

**CVE-2025-61932** is a critical **Motex Lanscope Endpoint Manager** vulnerability that was **actively exploited** as a **zero-day** by **Tick/BRONZE BUTLER** against **on-premises** systems. The flaw can let attackers run **arbitrary commands with SYSTEM privileges**, and **JPCERT/CC** confirmed reports of active abuse to drop a backdoor on compromised hosts. Sophos observed the campaign using **Gokcpdoor**, **Havoc**, and **DLL side-loading** with **OAED Loader** to maintain access, move laterally, and exfiltrate data. **CISA** added **CVE-2025-61932** to the **Known Exploited Vulnerabilities** catalog, and fixes are available for affected **Client program** and **Detection Agent** releases.

View happening
Campaign Tick Motex Lanscope CVE-2025-61932 exploitation campaign
Updated 31.10.2025 15:26 Scoring Support Contribution 3
Objective Espionage Campaign Active

A **Tick (Bronze Butler)** campaign exploited **CVE-2025-61932** in **Motex Lanscope Endpoint Manager** to deploy **Gokcpdoor** and gain remote access to compromised hosts. The operation enabled **SYSTEM**-level command execution, covert proxying, and follow-on tooling for **lateral movement** and **data exfiltration**. **JPCERT/CC** confirmed active abuse, showing the campaign was already being used against **on-premise** deployments.

View happening
Security Patch Release Motex security patch release for CVE-2025-61932
Updated 06.11.2025 04:00 Context
Exploitation Active Exploitation CVSS 9.8 Critical Urgency High Patch Patch Available

**Motex** released a fix for **CVE-2025-61932** in **Lanscope**, addressing a **critical** on-premises flaw that had already been exploited as a **zero-day**. The patch narrows the exposed scope because **cloud deployments** are unaffected. The update matters because Lanscope is widely used in **Japan**, including by major listed and financial institutions.

View happening