CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active Exploitation of Critical Motex Lanscope Endpoint Manager Vulnerability

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Motex Lanscope Endpoint Manager to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, CVE-2025-61932, allows attackers to execute arbitrary code on affected systems. It impacts on-premises versions of Lanscope Endpoint Manager, specifically the Client program and Detection Agent. The flaw has been actively exploited in the wild by the cyber espionage group Tick, which has been using it to deliver a backdoor called Gokcpdoor. Federal agencies are advised to apply patches by November 12, 2025. The vulnerability impacts versions 9.4.7.2 and earlier. It has been addressed in versions 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. The exact exploitation methods and threat actors were previously unknown, but an alert from the Japan Vulnerability Notes (JVN) portal and Japan's CERT Coordination Center indicated that an unnamed customer and domestic organizations received malicious packets targeting this vulnerability. The vulnerability has a CVSS v4 score of 9.8 and affects Lanscope Endpoint Manager, a unified endpoint management and security platform popular in Japan. Lanscope is deployed by one in every four listed companies and one in every three financial institutions in Japan. The flaw includes missing security checks, lack of barriers to prevent arbitrary code execution, and missing privilege checks. Motex has released a fix for the vulnerability, and it does not affect the cloud version of Lanscope. Around 50 to 160 on-premises Lanscope servers were exposed on the Internet at the time of the Sophos publication. The Bronze Butler group exploited the vulnerability far in advance of its public disclosure. The group used the Havoc command-and-control (C2) tool and a loader called OAED to inject payloads. The group used open-source and cloud applications for lateral movement and data exfiltration, including 7-Zip, remote desktop, and file.io. The group used LimeWire, a peer-to-peer (P2P) file-sharing platform, possibly for exfiltration. Japanese organizations face cyber threats shaped by regional geopolitics and industry profiles, with state-sponsored actors from China and North Korea targeting them for espionage and intellectual-property theft.

Timeline

  1. 06.11.2025 04:00 1 articles · 4d ago

    Motex Lanscope Endpoint Manager Vulnerability Details and Impact

    The vulnerability CVE-2025-61932 has a CVSS v4 score of 9.8. The vulnerability affects Lanscope Endpoint Manager, a unified endpoint management and security platform popular in Japan. Lanscope is deployed by one in every four listed companies and one in every three financial institutions in Japan. The flaw includes missing security checks, lack of barriers to prevent arbitrary code execution, and missing privilege checks. Motex has released a fix for the vulnerability, and it does not affect the cloud version of Lanscope. Around 50 to 160 on-premises Lanscope servers were exposed on the Internet at the time of the Sophos publication. The article provides a detailed description of the vulnerability and its potential impact, as well as the steps taken by Motex to address the issue. It also discusses the broader context of cyber threats facing Japanese organizations, with state-sponsored actors from China and North Korea targeting them for espionage and intellectual-property theft.

    Show sources
    Open in new tab
  2. 31.10.2025 15:26 2 articles · 10d ago

    Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems

    The cyber espionage group Tick, also known as Bronze Butler, exploited the vulnerability far in advance of its public disclosure. The group used the Havoc command-and-control (C2) tool and a loader called OAED to inject payloads. The group used open-source and cloud applications for lateral movement and data exfiltration, including 7-Zip, remote desktop, and file.io. The group used LimeWire, a peer-to-peer (P2P) file-sharing platform, possibly for exfiltration. The article provides a detailed description of the vulnerability and its potential impact, as well as the steps taken by Motex to address the issue. It also discusses the broader context of cyber threats facing Japanese organizations, with state-sponsored actors from China and North Korea targeting them for espionage and intellectual-property theft.

    Show sources
    Open in new tab
  3. 23.10.2025 08:37 4 articles · 18d ago

    Critical Motex Lanscope Endpoint Manager Vulnerability Exploited in the Wild

    The cyber espionage group Tick, also known as Bronze Butler, exploited the vulnerability far in advance of its public disclosure. The group used the Havoc command-and-control (C2) tool and a loader called OAED to inject payloads. The group used open-source and cloud applications for lateral movement and data exfiltration, including 7-Zip, remote desktop, and file.io. The group used LimeWire, a peer-to-peer (P2P) file-sharing platform, possibly for exfiltration. The article provides a detailed description of the vulnerability and its potential impact, as well as the steps taken by Motex to address the issue. It also discusses the broader context of cyber threats facing Japanese organizations, with state-sponsored actors from China and North Korea targeting them for espionage and intellectual-property theft.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution.

Open in new tab

Active Exploitation of Unpatched Gladinet and TrioFox Vulnerability

Active exploitation of an unpatched security flaw in Gladinet CentreStack and TrioFox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog on November 5, 2025, citing evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by November 25, 2025, to secure their networks.

Open in new tab

Velociraptor DFIR Tool Abused in LockBit and Babuk Ransomware Campaigns

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks.

Open in new tab

Meteobridge Command Injection Vulnerability Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a high-severity command injection vulnerability (CVE-2025-4008) in Smartbedded Meteobridge as actively exploited in the wild. The flaw, with a CVSS score of 8.7, allows remote unauthenticated attackers to execute arbitrary code with elevated privileges on affected devices. The vulnerability resides in the Meteobridge web interface, specifically in the template.cgi script, which is vulnerable due to insecure use of eval calls. The flaw was discovered and reported by ONEKEY in February 2025 and was addressed in Meteobridge version 6.2, released on May 13, 2025. The vulnerability can be exploited through specially crafted requests and malicious webpages, posing a significant risk to users. Federal Civilian Executive Branch (FCEB) agencies are required to apply necessary updates by October 23, 2025, to mitigate the risk.

Open in new tab

Increased Scanning for PAN-OS GlobalProtect Vulnerability

SANS Internet Storm Center has observed a significant rise in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). This flaw, disclosed last year, allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The scans involve attempts to upload and retrieve files, indicating potential pre-exploit staging activities. The vulnerability is a command injection flaw that can be exploited to gain unauthorized access and control over vulnerable firewalls. This development underscores the ongoing threat posed by unpatched systems and the importance of timely security updates. The scans are part of a broader trend of increased cyber activity targeting critical infrastructure and enterprise networks.

Open in new tab