Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CISA Adds Lanscope Endpoint Manager Zero-Day (CVE-2025-61932) to Known Exploited Vulnerabilities
Oct 23, 2025
4 Mins Read
Nov 04, 2025
Moon

CISA Adds Lanscope Endpoint Manager Zero-Day (CVE-2025-61932) to Known Exploited Vulnerabilities

[Update] Bronze Butler Exploits CVE-2025-61932 to Deploy Gokcpdoor Malware

A recently discovered zero-day flaw in Lanscope Endpoint Manager is under exploitation, prompting immediate alerts from its developer Motex, as well as the Cybersecurity and Infrastructure Security Agency (CISA). This blog explains what the flaw is, how it is being exploited, which versions are affected, and what steps organizations can take to mitigate the risk.

What Is CVE-2025-61932?

CVE-2025-61932 (CVSS 9.8) is a critical vulnerability discovered in Lanscope Endpoint Manager. The flaw stems from an improper verification of the source of a communication channel, which can allow remote attackers to send specially crafted packets and execute arbitrary code on affected systems.

In simpler terms, the vulnerability enables attackers to pose as legitimate communication sources, essentially tricking the system into accepting malicious packets that give them control over the endpoint environment.

Details of CVE-2025-61932 (SOCRadar Vulnerability Intelligence)

Details of CVE-2025-61932 (SOCRadar Vulnerability Intelligence)

Because the flaw allows Remote Code Execution (RCE) via crafted packets against the client and detection agent components, an attacker could run arbitrary payloads on a compromised host, establish persistence, attempt local privilege escalation, or pivot to other systems depending on network segmentation and endpoint protections.

How Is CVE-2025-61932 Being Exploited?

Although details remain limited, Motex confirmed that some customer environments received unauthorized packets from external sources, suggesting active exploitation attempts.
Japan’s JPCERT/CC reported awareness of domestic attack activity, while CISA officially listed CVE-2025-61932 in its Known Exploited Vulnerabilities (KEV) Catalog.

For U.S. federal agencies, CISA mandates patching by November 12, 2025.

Which Lanscope Endpoint Manager Versions Are Affected?

All on-premises Lanscope Endpoint Manager versions 9.4.7.1 and earlier are vulnerable. The issue affects the Client program and Detection Agent components specifically.

The vulnerability has been patched in the following versions:

  • 9.3.2.7
  • 9.3.3.9
  • 9.4.0.5
  • 9.4.1.5
  • 9.4.2.6
  • 9.4.3.8
  • 9.4.4.6
  • 9.4.5.4
  • 9.4.6.3
  • 9.4.7.3

Motex clarified that only client systems need updating; the management server upgrade is not required for mitigation.

Bronze Butler Exploits CVE-2025-61932 to Deploy Gokcpdoor Malware

Sophos researchers have reported that China-linked threat actors known as Bronze Butler (Tick) exploited the Motex Lanscope Endpoint Manager vulnerability (CVE-2025-61932) as a zero-day in targeted cyber-espionage campaigns.

According to researchers, Bronze Butler used the exploit to deploy an updated version of the Gokcpdoor malware, establishing persistent access via proxy connections and employing DLL sideloading for stealth. The campaigns also involved tools like goddi, 7-Zip, and Remote Desktop for credential theft and data exfiltration, often using cloud-based storage services as exfiltration points.

The findings indicate that exploitation began months before the patch release. Organizations are strongly advised to upgrade to the latest Lanscope version, as no mitigations or workarounds currently exist.

The vulnerability was also added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on October 22, 2025, with a patch deadline set for November 12, 2025.

Immediate Steps to Mitigate Lanscope Endpoint Manager Zero-Day (CVE-2025-61932)

Motex recommends upgrading affected systems immediately to one of the patched versions listed. Beyond patching:

  • Review network logs for suspicious or unexpected inbound packets.
  • Restrict external communication channels to only trusted sources.
  • Continuously monitor the CISA KEV catalog for new entries impacting your environment.
  • Use tools for vulnerability intelligence, such as those available on the SOCRadar XTI platform, to follow exploitation trends and assess exposure across your infrastructure.

Track the latest CVEs and exploits with SOCRadar’s Vulnerability Intelligence capabilities

Track the latest CVEs and exploits with SOCRadar’s Vulnerability Intelligence capabilities

SOCRadar’s Cyber Threat Intelligence (CTI) module provides real-time insights into active exploits like CVE-2025-61932, offering early warnings, updates, and tailored intelligence to help security teams respond faster.

Combined with the Attack Surface Management (ASM) module, organizations can continuously discover exposed assets, monitor for new risks, and proactively close gaps before attackers exploit them. Together, these modules enable a unified approach to identifying, prioritizing, and mitigating emerging threats across your digital footprint.