Zero-Day Attack Exploits Lanscope Endpoint Manager Flaw
▼ Summary
– CVE-2025-61932 is a zero-day vulnerability in Lanscope Endpoint Manager that has been actively exploited since April 2025, primarily targeting Japanese customers.
– The vulnerability affects the on-premises version of Lanscope Endpoint Manager and allows remote code execution via specially crafted packets sent to TCP port 443.
– Exploitation targets the client program (MR) and detection agent (DA) components in on-premise versions 9.4.7.1 and earlier, with fixed versions available for multiple release lines.
– The US CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating remediation by federal agencies within three weeks.
– Systems at highest risk include Windows servers exposed to the internet, devices with public IP addresses, and Lanscope installations with MR or DA accessible from external networks.
A critical security flaw within Lanscope Endpoint Manager, identified as CVE-2025-61932, is currently being exploited in active zero-day attacks. The Japan Computer Emergency Response Team Coordination Center issued an alert confirming these exploits have been occurring since April 2025. According to details provided by the software vendor, Motex Inc., the attacks have specifically targeted customers located in Japan.
The Lanscope Endpoint Manager sees substantial use within Japan, especially across its financial sector, though its adoption internationally appears much lower. Despite this limited global footprint, the US Cybersecurity and Infrastructure Security Agency (CISA) has officially listed the vulnerability in its Known Exploited Vulnerabilities catalog. This action mandates that all US federal civilian agencies apply the necessary patches within a three-week timeframe to protect their systems.
This particular vulnerability is an “improper verification of source of a communication channel” issue. It exclusively impacts the on-premises version of Lanscope Endpoint Manager; the cloud-based SaaS edition remains unaffected. Attackers can take advantage of the weakness by transmitting specially designed packets to TCP port 443 on systems that operate the vulnerable software components, specifically the client program (MR) and the detection agent (DA). These components are present in Lanscope Endpoint Manager On-Premise versions 9.4.7.1 and earlier. A successful exploit could permit an attacker to run arbitrary code on the compromised system.
Patches addressing CVE-2025-61932 are available in several updated versions, including 9.4.7.3, 9.4.6.3, 9.4.5.4, 9.4.4.6, 9.4.3.8, 9.4.2.6, 9.4.1.5, 9.4.0.5, 9.3.3.9, and 9.3.2.7. Organizations are strongly advised to update all client computers running the affected software. The management server software does not require an update, as it is not vulnerable to this particular flaw.
JPCERT/CC has highlighted that the risk of exploitation rises significantly for managed endpoints with the MR or DA components installed in environments reachable from external networks. Systems facing an increased threat include Windows servers accessible over the Internet, any devices assigned a public or global IP address, and Lanscope Endpoint Manager servers where the MR or DA software is present. To assist with detection and mitigation, JPCERT/CC has also released a list of IP addresses observed sending malicious packets, as well as the command-and-control servers contacted by a backdoor installed during these attacks.
(Source: HelpNet Security)
