Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Motex Lanscope Endpoint Manager actively exploited source verification RCE (CVE-2025-61932)

Vulnerability
First reported
Last updated
Happening score
H score 61
3 unique sources, 4 articles

Summary

Hide ▲

CVE-2025-61932 is a critical Motex Lanscope Endpoint Manager vulnerability that was actively exploited as a zero-day by Tick/BRONZE BUTLER against on-premises systems. The flaw can let attackers run arbitrary commands with SYSTEM privileges, and JPCERT/CC confirmed reports of active abuse to drop a backdoor on compromised hosts. Sophos observed the campaign using Gokcpdoor, Havoc, and DLL side-loading with OAED Loader to maintain access, move laterally, and exfiltrate data. CISA added CVE-2025-61932 to the Known Exploited Vulnerabilities catalog, and fixes are available for affected Client program and Detection Agent releases.

Cases

Motex Lanscope exploitation, backdoor activity, and remediation (3)

Related Happenings

SolarWinds Web Help Desk (WHD) multi-stage exploitation wave

Exploitation Wave
First: 09.02.2026 16:42 Last: 09.02.2026 16:42 Sources 1

About this happening: **SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...

Latest development: 10.03.2026 08:17

CISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.

Open Happening

CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551

Public Sector Action
First: 04.02.2026 07:50 Last: 04.02.2026 07:50 Sources 1

About this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...

Open Happening

React Native Metro servers Metro4Shell exploitation wave (CVE-2025-11953)

Exploitation Wave
First: 03.02.2026 16:00 Last: 03.02.2026 16:00 Sources 1

About this happening: Repeated exploitation of **CVE-2025-11953** is hitting exposed **React Native Metro servers**, creating remote command and payload-delivery risk across a large development-systems...

Open Happening

HPE OneView RondoDox exploitation wave (CVE-2025-37164)

Exploitation Wave
First: 16.01.2026 11:15 Last: 16.01.2026 11:15 Sources 1

About this happening: **RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...

Open Happening

CISA adds WatchGuard Fireware CVE-2025-9242 to KEV catalog

Public Sector Action
First: 13.11.2025 09:23 Last: 13.11.2025 09:23 Sources 1

About this happening: CISA **added** **CVE-2025-9242** in **WatchGuard Fireware** to the **KEV catalog**, signaling **active exploitation** and forcing remediation prioritization. The flaw is an **out-...

Open Happening

Timeline

  1. 23.10.2025 08:37 6 articles · 7mo ago

    CISA adds CVE-2025-61932 to the KEV catalog

    Initial Disclosure

    CISA added CVE-2025-61932 for Motex Lanscope Endpoint Manager to the Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw affects on-premises Client program and Detection Agent versions 9.4.7.1 and earlier, can enable arbitrary code execution by sending specially crafted packets, and has fixed releases in 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. Federal Civilian Executive Branch agencies were told to remediate CVE-2025-61932 by November 12, 2025.

    Show sources
    Open in new tab
  2. 23.10.2025 08:37 6 articles · 7mo ago

    CISA adds CVE-2025-61932 to the KEV catalog

    Initial Disclosure

    CISA added CVE-2025-61932 for Motex Lanscope Endpoint Manager to the Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw affects on-premises Client program and Detection Agent versions 9.4.7.1 and earlier, can enable arbitrary code execution by sending specially crafted packets, and has fixed releases in 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. Federal Civilian Executive Branch agencies were told to remediate CVE-2025-61932 by November 12, 2025.

    Show sources
    Open in new tab
  3. 23.10.2025 08:37 6 articles · 7mo ago

    CISA adds CVE-2025-61932 to the KEV catalog

    Initial Disclosure

    CISA added CVE-2025-61932 for Motex Lanscope Endpoint Manager to the Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw affects on-premises Client program and Detection Agent versions 9.4.7.1 and earlier, can enable arbitrary code execution by sending specially crafted packets, and has fixed releases in 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. Federal Civilian Executive Branch agencies were told to remediate CVE-2025-61932 by November 12, 2025.

    Show sources
    Open in new tab