A critical vulnerability in Motex Inc.'s Lanscope Endpoint Manager, tracked as CVE-2025-61932, has been actively exploited in the wild, prompting urgent attention from cybersecurity professionals. The flaw, which carries a CVSS score of 9.8, was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on October 22, 2025, just two days after its disclosure. This rapid inclusion underscores the severity and active exploitation of the vulnerability.
CVE-2025-61932 affects the on-premises versions of Lanscope Endpoint Manager, specifically the Client program (MR) and Detection agent (DA). The vulnerability arises from improper verification of the origin of incoming requests, classified under CWE-940. This flaw allows attackers to execute arbitrary code by sending specially crafted packets, effectively compromising the affected systems.
The exploitation of this vulnerability was detected almost immediately after its disclosure, with a time-to-exploit in the wild of just 1.7 days. This swift exploitation highlights the critical nature of the vulnerability and the need for immediate defensive measures. The Exploit Prediction Scoring System (EPSS) for this vulnerability is relatively low at 0.014, indicating that while the likelihood of exploitation is not high, the impact of successful exploitation is severe.
Reports have emerged linking the exploitation of CVE-2025-61932 to the China-linked Tick Group, known for its targeted cyberattacks. This attribution suggests that the vulnerability is being leveraged in sophisticated campaigns, potentially aimed at specific high-value targets. The involvement of a known threat actor adds an additional layer of urgency for organizations using Lanscope Endpoint Manager to secure their systems.
Motex Inc. has been alerted to the vulnerability, and users of the Lanscope Endpoint Manager are advised to apply any available patches or mitigations immediately. The critical nature of this vulnerability, combined with its active exploitation, makes it imperative for organizations to prioritize patching and review their security postures.
Security teams should also monitor network traffic for unusual activity that could indicate exploitation attempts. Given the nature of the vulnerability, defenders should focus on detecting and blocking suspicious packets that could be crafted to exploit the flaw.
As the situation develops, organizations are encouraged to stay informed through official advisories and updates from Motex Inc. and cybersecurity authorities. The rapid exploitation of CVE-2025-61932 serves as a stark reminder of the importance of timely vulnerability management and the need for robust security measures to protect against emerging threats.
CSURFACE