The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61932, a critical vulnerability in Motex Lanscope Endpoint Manager, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The flaw, rated CVSS 9.8, allows unauthenticated remote attackers to execute arbitrary code on affected systems. Review the details in this Cybersecurity Threat Advisory to help secure your systems.
What is the threat?
CVE-2025-61932 is a critical remote code execution vulnerability in Motex Lanscope Endpoint Manager that allows unauthenticated attackers to run arbitrary commands on affected servers. The flaw stems from improper input validation in the web-based management interface, enabling attackers to send crafted HTTP requests that are executed with system-level privileges.
Attackers can easily find exposed Lanscope servers using tools like Shodan, then exploit the flaw to deploy malware, create admin accounts, or disable protections across managed devices. Because Lanscope often integrates with Active Directory and other enterprise systems, a compromise can lead to widespread lateral movement, credential theft, and persistent access. In some cases, attackers have used this vulnerability to deploy ransomware and exfiltrate sensitive data without needing valid credentials.
Why is it noteworthy?
This vulnerability is significant because it is actively exploited and impacts a widely used enterprise endpoint management product. Its unauthenticated nature drastically lowers the barrier to exploitation. Given Lanscope’s central role in endpoint administration, a successful attack can compromise an organization’s entire endpoint security posture, making this a high-priority threat requiring immediate remediation.
What is the exposure or risk?
If exploited, CVE-2025-61932 could grant attackers full administrative control over Lanscope Endpoint Manager and all connected endpoints. This could lead to widespread malware deployment, data theft, disabled protections, and use of compromised systems as launch points for further attacks. The risk is especially high for organizations with internet-exposed Lanscope servers, as exploitation can occur rapidly and without warning.
What are the recommendations?
Barracuda strongly recommends organizations take these additional steps to defend your machines:
- Apply Motex’s security patches immediately for all affected Lanscope Endpoint Manager versions.
- Restrict access to the Lanscope web management interface to trusted internal networks only.
- Implement network segmentation to isolate endpoint management systems from general user traffic.
- Enable logging and monitoring for all Lanscope administrative actions to detect suspicious activity.
- Conduct a compromise assessment to check for signs of exploitation, especially if the system was exposed prior to patching.
Reference
For more in-depth information about the threat, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.