Motex Lanscope Endpoint Manager actively exploited source verification RCE (CVE-2025-61932)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-61932 is a critical Motex Lanscope Endpoint Manager vulnerability that was actively exploited as a zero-day by Tick/BRONZE BUTLER against on-premises systems. The flaw can let attackers run arbitrary commands with SYSTEM privileges, and JPCERT/CC confirmed reports of active abuse to drop a backdoor on compromised hosts. Sophos observed the campaign using Gokcpdoor, Havoc, and DLL side-loading with OAED Loader to maintain access, move laterally, and exfiltrate data. CISA added CVE-2025-61932 to the Known Exploited Vulnerabilities catalog, and fixes are available for affected Client program and Detection Agent releases.
Cases
Related Happenings
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/Mitigation
H score35
First: 15.06.2026 09:17
Last: 15.06.2026 09:17
Sources 1
About this happening:
Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/MitigationAbout this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
Magento exploitation wave for CVE-2026-45247
Exploitation Wave
H score9
First: 04.06.2026 10:19
Last: 04.06.2026 10:19
Sources 1
About this happening:
Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
Magento exploitation wave for CVE-2026-45247
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
PAN-OS GlobalProtect CVE-2026-0257 exploitation wave
Exploitation Wave
H score18
First: 01.06.2026 11:30
Last: 01.06.2026 11:30
Sources 1
About this happening:
A **CVE-2026-0257** exploitation wave is hitting **Palo Alto Networks PAN-OS GlobalProtect** appliances, creating **unauthorized VPN access** risk for **multiple customers**. **Ra...
PAN-OS GlobalProtect CVE-2026-0257 exploitation wave
Exploitation WaveAbout this happening: A **CVE-2026-0257** exploitation wave is hitting **Palo Alto Networks PAN-OS GlobalProtect** appliances, creating **unauthorized VPN access** risk for **multiple customers**. **Ra...
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation Wave
H score44
First: 09.02.2026 16:42
Last: 09.02.2026 16:42
Sources 1
About this happening:
**SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation WaveAbout this happening: **SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
Latest development: 10.03.2026 08:17
CISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
H score53
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
Timeline
-
23.10.2025 08:37 6 articles · 8mo ago
CISA adds CVE-2025-61932 to the KEV catalog
Initial DisclosureCISA added CVE-2025-61932 for Motex Lanscope Endpoint Manager to the Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw affects on-premises Client program and Detection Agent versions 9.4.7.1 and earlier, can enable arbitrary code execution by sending specially crafted packets, and has fixed releases in 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. Federal Civilian Executive Branch agencies were told to remediate CVE-2025-61932 by November 12, 2025.
Show sources
- Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Cyberattacks, CISA Confirms — thehackernews.com — 23.10.2025 08:37
- CISA warns of Lanscope Endpoint Manager flaw exploited in attacks — www.bleepingcomputer.com — 23.10.2025 19:24
- CISA warns of Lanscope Endpoint Manager flaw exploited in attacks — www.bleepingcomputer.com — 23.10.2025 19:24
- CISA warns of Lanscope Endpoint Manager flaw exploited in attacks — www.bleepingcomputer.com — 23.10.2025 19:24
- APT 'Bronze Butler' Exploits Zero-Day to Root Japan Orgs — www.darkreading.com — 06.11.2025 04:00
- China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems — thehackernews.com — 31.10.2025 15:26
-
23.10.2025 08:37 6 articles · 8mo ago
CISA adds CVE-2025-61932 to the KEV catalog
Initial DisclosureCISA added CVE-2025-61932 for Motex Lanscope Endpoint Manager to the Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw affects on-premises Client program and Detection Agent versions 9.4.7.1 and earlier, can enable arbitrary code execution by sending specially crafted packets, and has fixed releases in 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. Federal Civilian Executive Branch agencies were told to remediate CVE-2025-61932 by November 12, 2025.
Show sources
- Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Cyberattacks, CISA Confirms — thehackernews.com — 23.10.2025 08:37
- CISA warns of Lanscope Endpoint Manager flaw exploited in attacks — www.bleepingcomputer.com — 23.10.2025 19:24
- CISA warns of Lanscope Endpoint Manager flaw exploited in attacks — www.bleepingcomputer.com — 23.10.2025 19:24
- CISA warns of Lanscope Endpoint Manager flaw exploited in attacks — www.bleepingcomputer.com — 23.10.2025 19:24
- APT 'Bronze Butler' Exploits Zero-Day to Root Japan Orgs — www.darkreading.com — 06.11.2025 04:00
- China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems — thehackernews.com — 31.10.2025 15:26
-
23.10.2025 08:37 6 articles · 8mo ago
CISA adds CVE-2025-61932 to the KEV catalog
Initial DisclosureCISA added CVE-2025-61932 for Motex Lanscope Endpoint Manager to the Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw affects on-premises Client program and Detection Agent versions 9.4.7.1 and earlier, can enable arbitrary code execution by sending specially crafted packets, and has fixed releases in 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. Federal Civilian Executive Branch agencies were told to remediate CVE-2025-61932 by November 12, 2025.
Show sources
- Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Cyberattacks, CISA Confirms — thehackernews.com — 23.10.2025 08:37
- CISA warns of Lanscope Endpoint Manager flaw exploited in attacks — www.bleepingcomputer.com — 23.10.2025 19:24
- CISA warns of Lanscope Endpoint Manager flaw exploited in attacks — www.bleepingcomputer.com — 23.10.2025 19:24
- CISA warns of Lanscope Endpoint Manager flaw exploited in attacks — www.bleepingcomputer.com — 23.10.2025 19:24
- APT 'Bronze Butler' Exploits Zero-Day to Root Japan Orgs — www.darkreading.com — 06.11.2025 04:00
- China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems — thehackernews.com — 31.10.2025 15:26