Motex LANSCOPE Endpoint Manager - Improper Verification of Communication Channel Source (CVE-2025-61932)
CVE-2025-61932 is an Improper Verification of Source of a Communication Channel (CWE-940) vulnerability in Motex LANSCOPE Endpoint Manager. This flaw allows an attacker to send commands or data through a communication channel without proper verification of the channel's origin, potentially enabling unauthorized control over managed endpoints. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may abuse this to impersonate the LANSCOPE management server and push malicious instructions to endpoint agents.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Motex
- Product
- LANSCOPE Endpoint Manager
Weakness (CWE)
Timeline
- Disclosed
- October 22, 2025
References & Proof of Concept
CVSS
What is CVE-2025-61932 Motex LANSCOPE Endpoint Manager - Improper Verification of Communication Channel Source (CVE-2025-61932)?
Motex LANSCOPE Endpoint Manager - Improper Verification of Communication Channel Source (CVE-2025-61932) (CVE-2025-61932) maps to the Initial Access and Lateral Movement and Impact tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Motex LANSCOPE Endpoint Manager - Improper Verification of Communication Channel Source (CVE-2025-61932), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceNetworkEvents. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Initial Access Lateral Movement Impact
let lanscope_ports = dynamic(["8080", "8443", "443", "80"]);
let known_mgmt_servers = dynamic([]);
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName has_any ("lanscope", "lsepagent", "lsep", "epagent")
| where RemotePort in (lanscope_ports)
| where isnotempty(RemoteIP)
| extend IsTrustedServer = RemoteIP in (known_mgmt_servers)
| where IsTrustedServer == false
| summarize ConnectionCount=count(), RemoteIPs=make_set(RemoteIP), Ports=make_set(RemotePort) by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, bin(TimeGenerated, 1h)
| where ConnectionCount > 0
| extend AlertTitle = "LANSCOPE Agent Communicating with Unrecognized Management Server"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, RemoteIPs, Ports, ConnectionCount, AlertTitleDetects LANSCOPE Endpoint Manager agent processes connecting to unrecognized management servers, which may indicate exploitation of CVE-2025-61932 where a rogue server impersonates legitimate LANSCOPE infrastructure.
Data Sources
Required Tables
False Positives
- New legitimate LANSCOPE management server IPs not yet added to the allow-list
- Network topology changes causing agents to connect through new relay or proxy addresses
- LANSCOPE version upgrades that temporarily change communication endpoints during rollout
- NAT or load balancer changes presenting new external IPs for the same management infrastructure
Sigma rule & cross-platform mapping
The detection logic for Motex LANSCOPE Endpoint Manager - Improper Verification of Communication Channel Source (CVE-2025-61932) (CVE-2025-61932) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-61932
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate LANSCOPE Agent Connection to Rogue Management Server
Expected signal: DeviceNetworkEvents showing outbound connection to 192.0.2.100:8443 from powershell.exe; Sysmon Event ID 3 network connection; Windows Firewall log entry for outbound blocked/allowed connection
- Test 2LANSCOPE Agent Configuration Tampering via Registry
Expected signal: Sysmon Event ID 13 (Registry value set) for HKCU\SOFTWARE\TestLANSCOPE keys; Windows Security Event ID 4657 (registry value modified) if audit registry is enabled; EDR registry modification alert
- Test 3DNS Query to Suspicious LANSCOPE Management Domain
Expected signal: DNS query logs showing resolution attempt for test-mgmt.example-lab.local; network connection attempt to port 8080; process execution logs showing nslookup/dig/curl invocation; endpoint network telemetry from EDR
Unlock Pro Content
Get the full detection package for CVE-2025-61932 including response playbook, investigation guide, and atomic red team tests.