Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security

Lanscope Endpoint Manager vulnerability exploited in zero-day attacks (CVE-2025-61932)

CVE-2025-61932, an “improper verification of source of a communication channel” vulnerability affecting Lanscope Endpoint Manager, has been exploited as a zero-day since April 2025, the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) warned on Wednesday.

According to information received from the solution’s vendor, Motex Inc., a Japanese cybersecurity/IT tools company, Japan-based customers have been targeted with exploit attempts.

Based on vendor claims, the Lanscope Endpoint Manager has significant adoption in Japan, particularly among financial institutions, but its global presence appears to be far more limited.

Nevertheless, the US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities catalog, requiring US federal civilian agencies to remediate it within three weeks.

About CVE-2025-61932

Lanscope Endpoint Manager is an endpoint management and security solution that has a SaaS/cloud version (unaffected by this vulnerability) and an on-premises version.

The law can be exploited by sending specially crafted packets to TCP port 443 on systems running affected software: the client program (MR) and detection agent (DA) components of Lanscope Endpoint Manager On-Premise v9.4.7.1 and earlier.

Such packets may allow attackers to execute arbitrary code on vulnerable systems.

CVE-2025-61932 has been fixed in versions 9.4.7.3, 9.4.6.3, 9.4.5.4, 9.4.4.6, 9.4.3.8, 9.4.2.6, 9.4.1.5, 9.4.0.5, 9.3.3.9, and 9.3.2.7.

Organizations have been urged to update all client PCs. The management server software is not affected and doesn’t need to be upgraded, according to Motex.

“If managed endpoints with the client program (MR) or detection agent (DA) installed are deployed in environments that are accessible from external networks, the likelihood of attack attempts exploiting this vulnerability is expected to increase,” JPCERT/CC stated.

Windows servers exposed to the Internet, devices assigned a public/global IP address, and Lanscope Endpoint Manager servers with MR or DA installed are at elevated risk of compromise, the agency added.

JPCERT/CC has published a list of IP addresses used to send malicious packets as well as command-and-control IP addresses contacted by the attacker-installed backdoor.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

More about

Featured news

Resources

Don't miss