Find notable cyber news and cases, enriched with sources, timelines, and signals.

Motex Lanscope Endpoint Manager actively exploited source verification RCE (CVE-2025-61932)

Vulnerability
First reported
Last updated
Happening score
H score 52
3 unique sources, 4 articles

Summary

Hide ▲

CVE-2025-61932 is a critical Motex Lanscope Endpoint Manager vulnerability that was actively exploited as a zero-day by Tick/BRONZE BUTLER against on-premises systems. The flaw can let attackers run arbitrary commands with SYSTEM privileges, and JPCERT/CC confirmed reports of active abuse to drop a backdoor on compromised hosts. Sophos observed the campaign using Gokcpdoor, Havoc, and DLL side-loading with OAED Loader to maintain access, move laterally, and exfiltrate data. CISA added CVE-2025-61932 to the Known Exploited Vulnerabilities catalog, and fixes are available for affected Client program and Detection Agent releases.

Cases

Related Happenings

Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257

Advisory/Mitigation
H score35 First: 15.06.2026 09:17 Last: 15.06.2026 09:17 Sources 1

About this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...

Magento exploitation wave for CVE-2026-45247

Exploitation Wave
H score9 First: 04.06.2026 10:19 Last: 04.06.2026 10:19 Sources 1

About this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...

PAN-OS GlobalProtect CVE-2026-0257 exploitation wave

Exploitation Wave
H score18 First: 01.06.2026 11:30 Last: 01.06.2026 11:30 Sources 1

About this happening: A **CVE-2026-0257** exploitation wave is hitting **Palo Alto Networks PAN-OS GlobalProtect** appliances, creating **unauthorized VPN access** risk for **multiple customers**. **Ra...

SolarWinds Web Help Desk (WHD) multi-stage exploitation wave

Exploitation Wave
H score44 First: 09.02.2026 16:42 Last: 09.02.2026 16:42 Sources 1

About this happening: **SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...

Latest development: 10.03.2026 08:17

CISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.

CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551

Public Sector Action
H score53 First: 04.02.2026 07:50 Last: 04.02.2026 07:50 Sources 1

About this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...

Timeline

  1. 23.10.2025 08:37 6 articles · 8mo ago

    CISA adds CVE-2025-61932 to the KEV catalog

    Initial Disclosure

    CISA added CVE-2025-61932 for Motex Lanscope Endpoint Manager to the Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw affects on-premises Client program and Detection Agent versions 9.4.7.1 and earlier, can enable arbitrary code execution by sending specially crafted packets, and has fixed releases in 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. Federal Civilian Executive Branch agencies were told to remediate CVE-2025-61932 by November 12, 2025.

    Show sources
  2. 23.10.2025 08:37 6 articles · 8mo ago

    CISA adds CVE-2025-61932 to the KEV catalog

    Initial Disclosure

    CISA added CVE-2025-61932 for Motex Lanscope Endpoint Manager to the Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw affects on-premises Client program and Detection Agent versions 9.4.7.1 and earlier, can enable arbitrary code execution by sending specially crafted packets, and has fixed releases in 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. Federal Civilian Executive Branch agencies were told to remediate CVE-2025-61932 by November 12, 2025.

    Show sources
  3. 23.10.2025 08:37 6 articles · 8mo ago

    CISA adds CVE-2025-61932 to the KEV catalog

    Initial Disclosure

    CISA added CVE-2025-61932 for Motex Lanscope Endpoint Manager to the Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw affects on-premises Client program and Detection Agent versions 9.4.7.1 and earlier, can enable arbitrary code execution by sending specially crafted packets, and has fixed releases in 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. Federal Civilian Executive Branch agencies were told to remediate CVE-2025-61932 by November 12, 2025.

    Show sources