CVE-2025-61932

What is LANSCOPE Endpoint Manager?

LANSCOPE Endpoint Manager is an enterprise endpoint management and security platform developed by MOTEX Inc., a Japanese security software vendor headquartered in Tokyo. The product is the flagship offering in the LANSCOPE product family and is widely deployed across Japanese enterprises, particularly in the financial services, manufacturing, and government sectors.

LANSCOPE Endpoint Manager provides:

• IT asset management — centralized discovery, inventory, and lifecycle tracking of Windows PCs, Macs, smartphones, and tablets across the organization
• Operation log collection — records detailed logs of user activity on managed endpoints (file access, application usage, web browsing, device connections), used for insider threat detection and compliance auditing
• Data loss prevention (DLP) — monitors and controls data movement to detect and prevent unauthorized exfiltration of sensitive information
• Mobile Device Management (MDM) — enrollment and policy enforcement for iOS and Android devices
• Security policy enforcement — enforces endpoint configuration standards, manages antivirus, and controls USB and peripheral device usage

The on-premises version of LANSCOPE Endpoint Manager uses a client-server architecture where a management server communicates with lightweight client agents (called the Client Program / MR) and detection agents (DA) installed on managed endpoints. This agent communication is the attack surface for CVE-2025-61932.

LANSCOPE Endpoint Manager's dominant market position in Japan — particularly among organizations that handle sensitive data and require detailed audit logging — makes it a high-value target for state-sponsored espionage actors seeking access to networks containing intellectual property, government communications, or sensitive business data.

Overview

LANSCOPE Endpoint Manager (on-premises) contains an improper verification of source of a communication channel vulnerability (CWE-940) in the client program (MR) and detection agent (DA) components. An unauthenticated remote attacker can send specially crafted packets to TCP port 443 on a system running the affected client software, causing the endpoint to accept the packets as if they originated from a legitimate LANSCOPE management server, and subsequently execute arbitrary code on the vulnerable system.

CVE-2025-61932 was exploited as a zero-day by the Chinese state-sponsored threat group Bronze Butler (also known as Tick or REDBALDKNIGHT) for approximately six months before MOTEX disclosed the vulnerability. CISA added it to the KEV catalog on October 22, 2025 — the same day JPCERT/CC made the public disclosure — making this one of the fastest KEV additions from disclosure date, reflecting the confirmed and ongoing in-the-wild exploitation at the time of patching.

Affected Versions

Fixed versions (patch to the appropriate build for your release branch):

Note: The management server component is not affected by this vulnerability and does not require an update. Only the client-side agent components (MR and DA) installed on managed endpoints need to be patched.

Technical Details

CVE-2025-61932 is classified as CWE-940 (Improper Verification of Source of a Communication Channel). The vulnerability exists in the agent communication protocol used by LANSCOPE Endpoint Manager's client program and detection agent components.

The core flaw: The affected client components listen on TCP port 443 for instructions from the LANSCOPE management server. The protocol fails to adequately verify that incoming packets genuinely originate from a legitimate, authorized management server. An attacker on a network path to the endpoint can craft and send packets that impersonate the management server, causing the agent to accept and act on the malicious instructions — including executing arbitrary code.

Attack characteristics:

• No authentication required — the flaw is in source verification, not authentication bypass
• Attack is delivered via specially crafted packets to TCP port 443
• The agent components on managed endpoints are the vulnerable surface, not the central management server
• Exploitation allows arbitrary code execution on the managed endpoint (the victim workstation or server), not the central server
• Network-accessible from any host able to reach the target endpoint on TCP port 443

CWE-940 (Improper Verification of Source of a Communication Channel): The product establishes a communication channel to handle incoming requests but does not sufficiently verify that the source of those communications is the expected, legitimate party. This allows an attacker to impersonate the trusted communication source and inject malicious commands.

Gokcpdoor malware: In the confirmed Bronze Butler exploitation campaign, attackers delivered the Gokcpdoor backdoor payload following successful exploitation. The 2025 variant of Gokcpdoor represents an evolution from earlier versions used by Bronze Butler — it dropped support for the KCP transport protocol and instead implemented advanced multiplexing communication capabilities using third-party libraries for command-and-control, making network-level detection more difficult.

Discovery

Sophos conducted the primary threat research that attributed the exploitation campaign to Bronze Butler (Tick), published on October 30, 2025. Sophos documented the attack chain, the Gokcpdoor malware payload, and the targeting pattern focused on Japanese organizations. JPCERT/CC (Japan's national CERT) coordinated the public disclosure on October 22, 2025, in conjunction with MOTEX's advisory. The vulnerability was disclosed to MOTEX through responsible disclosure processes, though the precise timeline of when MOTEX first learned of the active exploitation is not publicly documented.

Exploitation Context

CVE-2025-61932 has a confirmed zero-day exploitation window beginning approximately April 2025 — roughly six months before public disclosure in October 2025. During this period, the Chinese state-sponsored APT group Bronze Butler (also tracked as Tick and REDBALDKNIGHT) exploited the vulnerability in targeted cyber-espionage campaigns against Japanese organizations.

Threat actor profile — Bronze Butler (Tick):

• Active since at least 2010; consistently targets Japan
• Previously exploited a zero-day in SKYSEA Client View (a competing Japanese IT asset management product) in 2016 — demonstrating a pattern of targeting Japan-specific enterprise software
• Assessed as a Chinese government-affiliated group focused on intellectual property theft and strategic intelligence collection
• Primary targets include Japanese defense contractors, manufacturing, technology, and critical infrastructure sectors

Campaign characteristics:

• Attacks were highly targeted — focused on organizations using LANSCOPE Endpoint Manager in Japan
• Bronze Butler used the CVE-2025-61932 foothold to deploy the Gokcpdoor backdoor for persistent remote access
• The campaign involved theft of confidential data from compromised endpoints
• The six-month zero-day window gave attackers extended undetected access to victim environments before the patch was available

The product's concentration among Japanese enterprises — and the LANSCOPE agent's privileged position on managed endpoints with access to operation logs, file access records, and sensitive business data — made it a strategically valuable exploitation target for an APT focused on intelligence collection.

Remediation

1. Update all client program (MR) and detection agent (DA) instances immediately — apply the fixed build for your release branch (see Affected Versions table above); the management server does not require an update
2. Prioritize endpoints holding sensitive data — given the espionage-focused nature of confirmed exploitation, endpoints accessing sensitive intellectual property, communications, or regulated data should be patched first
3. Assume compromise for unpatched instances — given the approximately six-month zero-day exploitation window, treat any LANSCOPE Endpoint Manager client that was network-accessible during April–October 2025 as potentially compromised
4. Hunt for Gokcpdoor indicators — review endpoints for indicators of compromise associated with the Gokcpdoor backdoor; consult Sophos's published threat research for specific indicators of compromise (IOCs), file hashes, and network signatures
5. Audit network connections from managed endpoints — review firewall and endpoint logs for unusual outbound connections, particularly to unexpected external IPs on non-standard ports, which may indicate active C2 communication
6. Restrict network access to the agent listener — while the agent must communicate with the management server, firewall rules should limit which hosts can reach TCP port 443 on managed endpoints; block access from internet-facing or untrusted network segments where possible
7. Review operation logs from LANSCOPE — LANSCOPE's own logging capabilities may contain evidence of suspicious activity on compromised endpoints during the exploitation window; preserve these logs before remediation
8. Coordinate with JPCERT/CC or a national CERT if you are a Japanese organization and suspect compromise — JPCERT/CC was involved in the coordinated disclosure and may have additional threat intelligence relevant to the campaign