Vulnerability
Campaign
Security Patch Release
Motex Lanscope exploitation, backdoor activity, and remediation
Updated 06.11.2025 04:00
Case score 64
Score breakdown
- Total
- 64
- Lead score
- 61
- Support bonus
- +3 / 20
- Scoring support
- 1
- Context members
- 1
Top contributors
- Vulnerability Anchors the on-premises Lanscope zero-day exploitation and active abuse. base
- Campaign Confirms the same CVE was used in a Tick/Bronze Butler campaign with backdoor deployment. support
- Security Patch Release Provides Motex's fix and the affected-version scope for the same CVE. context
Case score 64
Members 3
Latest activity 06.11.2025 04:00
Active exploitation
KEV: CISA KEV
Patch available
CVSS: 9.8 Critical
Active exploitation
KEV: CISA KEV
Patch available
CVSS: 9.8 Critical
Members 3
First seen 23.10.2025 08:37
Last seen 06.11.2025 04:00
Updated 06.11.2025 04:00
Overview
Attackers are exploiting **CVE-2025-61932** in **Motex Lanscope Endpoint Manager** on-premises systems to run commands with **SYSTEM** privileges and plant backdoors. **JPCERT/CC** confirmed active abuse, and the available evidence ties the activity to **Tick/Bronze Butler** tooling such as **Gokcpdoor**, **Havoc**, **DLL side-loading**, and **OAED Loader**.
**Motex** released fixed builds for the affected **Client program** and **Detection Agent** versions, while **CISA** added the flaw to **KEV** and set a **November 12, 2025** remediation deadline for Federal Civilian Executive Branch agencies. Available evidence does not quantify the full reach or identify every affected organization.
Attackers are exploiting **CVE-2025-61932** in **Motex Lanscope Endpoint Manager** on-premises deployments to run commands with **SYSTEM** privileges and drop backdoors on exposed systems.
**JPCERT/CC** confirmed active abuse of the flaw, and the activity is tied to **Tick**, also tracked as **Bronze Butler**, **Stalker Panda**, **Stalker Taurus**, **Swirl Typhoon**, **Daserf**, and **REDBALDKNIGHT**. The campaign uses **Gokcpdoor** for covert access, and some intrusions add **Havoc** after initial compromise.
Operators also rely on **DLL side-loading** and **OAED Loader** to inject payloads, then use remote-access tooling and archive utilities to move laterally and exfiltrate data. The observed workflow fits a sustained access-and-exfiltration campaign. Available evidence does not quantify how many organizations were compromised.
**Motex** released fixed builds for affected **Client program** and **Detection Agent** versions, and the **cloud version** is not affected. **CISA** added **CVE-2025-61932** to the **Known Exploited Vulnerabilities** catalog and set a **November 12, 2025** remediation deadline for Federal Civilian Executive Branch agencies.