Critical Zero-Day Vulnerability in Lanscope Endpoint Manager Exploited by Threat Actors
In mid-2025, cybersecurity researchers uncovered a sophisticated cyberattack campaign targeting organizations utilizing Motex’s Lanscope Endpoint Manager. The perpetrators, identified as the Chinese state-sponsored group BRONZE BUTLER (also known as Tick), exploited a previously unknown zero-day vulnerability, designated as CVE-2025-61932. This critical flaw allows remote attackers to execute arbitrary commands with SYSTEM privileges on affected systems.
This incident marks a continuation of BRONZE BUTLER’s focus on Japanese asset management software, following their exploitation of SKYSEA Client View in 2016. The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) publicly disclosed the vulnerability on October 22, 2025, prompting immediate action from organizations worldwide.
Understanding CVE-2025-61932
CVE-2025-61932 is a critical vulnerability stemming from improper verification of the source of communication channels within Lanscope Endpoint Manager. This flaw enables unauthenticated remote code execution, allowing attackers to send specially crafted packets to vulnerable systems and gain control over them. The vulnerability affects the Client Program (MR) and Detection Agent (DA) components of Lanscope Endpoint Manager On-Premise versions 9.4.7.1 and earlier. The cloud-based edition remains unaffected.
Exploitation and Attack Methodology
Sophos researchers identified that attackers leveraged this zero-day vulnerability to gain initial access to vulnerable internet-facing Lanscope servers. Once inside, they employed a combination of malware families and legitimate tools to establish persistence and exfiltrate sensitive information.
The primary command and control mechanism used in this operation was the Gokcpdoor malware. The 2025 variant of Gokcpdoor represents a significant evolution from earlier versions, discontinuing support for the KCP protocol and implementing advanced multiplexing communication capabilities using third-party libraries.
To evade detection and complicate forensic analysis, the attackers deployed the OAED Loader malware, which injects payloads into legitimate executables based on embedded configurations. In some instances, they replaced Gokcpdoor with the Havoc command and control framework, demonstrating operational flexibility.
For data exfiltration and lateral movement, BRONZE BUTLER utilized legitimate tools such as goddi (Go dump domain info), remote desktop applications, and the 7-Zip archiving utility. They also leveraged cloud storage services, including io and LimeWire, accessed through web browsers during remote sessions to steal confidential organizational data.
Immediate Mitigation Steps
Given the active exploitation of CVE-2025-61932, it is imperative for organizations using Lanscope Endpoint Manager to take immediate action:
1. Update Affected Systems: Motex has released patches addressing this vulnerability in versions 9.4.7.3, 9.4.6.3, 9.4.5.4, 9.4.4.6, 9.4.3.8, 9.4.2.6, 9.4.1.5, 9.4.0.5, 9.3.3.9, and 9.3.2.7. Organizations should upgrade all client PCs to one of these patched versions. The management server software is not affected and does not require an upgrade.
2. Monitor Network Traffic: Review network logs for any suspicious or unexpected inbound packets, particularly those targeting TCP port 443, which is associated with this vulnerability.
3. Restrict External Communications: Limit external communication channels to only trusted sources to reduce the risk of unauthorized access.
4. Stay Informed: Continuously monitor advisories from cybersecurity authorities such as JPCERT/CC and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for updates and new vulnerabilities.
5. Implement Advanced Threat Detection: Utilize tools for vulnerability intelligence to track the latest CVEs and exploits, assess exposure across your infrastructure, and respond promptly to emerging threats.
Conclusion
The exploitation of CVE-2025-61932 by BRONZE BUTLER underscores the persistent threat posed by state-sponsored cyber actors and the critical importance of timely vulnerability management. Organizations must remain vigilant, promptly apply security patches, and implement robust monitoring to safeguard against such sophisticated attacks.
