Detect Motex LANSCOPE Endpoint Manager - Improper Verification of Communication Channel Source (CVE-2025-61932) in Splunk
CVE-2025-61932 is an Improper Verification of Source of a Communication Channel (CWE-940) vulnerability in Motex LANSCOPE Endpoint Manager. This flaw allows an attacker to send commands or data through a communication channel without proper verification of the channel's origin, potentially enabling unauthorized control over managed endpoints. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may abuse this to impersonate the LANSCOPE management server and push malicious instructions to endpoint agents.
MITRE ATT&CK
- Tactic
- Initial Access Lateral Movement Impact
SPL Detection Query
index=endpoint OR index=network sourcetype IN ("WinEventLog:Security", "xmlwineventlog", "sysmon", "crowdstrike:events:sensor")
| eval process_lower=lower(process_name)
| where like(process_lower, "%lanscope%") OR like(process_lower, "%lsepagent%") OR like(process_lower, "%epagent%") OR like(process_lower, "%lsep%")
| eval dest_port=coalesce(dest_port, DestinationPort)
| eval dest_ip=coalesce(dest_ip, DestinationIp, dest)
| where dest_port IN ("80", "443", "8080", "8443")
| stats count as connection_count, values(dest_ip) as dest_ips, values(dest_port) as dest_ports, dc(dest_ip) as unique_dest_ips by host, process_name, user, _time
| where unique_dest_ips > 0
| eval risk_score=case(unique_dest_ips > 5, "high", unique_dest_ips > 2, "medium", true(), "low")
| table _time, host, user, process_name, dest_ips, dest_ports, connection_count, unique_dest_ips, risk_score
| sort -connection_countIdentifies LANSCOPE agent processes making outbound network connections, particularly to multiple or unexpected destinations that may represent rogue management servers exploiting CVE-2025-61932.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate multi-site LANSCOPE deployments with multiple management servers across regions
- LANSCOPE agents communicating with update servers or cloud telemetry endpoints
- Proxy or gateway infrastructure presenting varied destination IPs for the same logical server
- Lab or test environments with non-standard LANSCOPE configurations
Other platforms for CVE-2025-61932
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate LANSCOPE Agent Connection to Rogue Management Server
Expected signal: DeviceNetworkEvents showing outbound connection to 192.0.2.100:8443 from powershell.exe; Sysmon Event ID 3 network connection; Windows Firewall log entry for outbound blocked/allowed connection
- Test 2LANSCOPE Agent Configuration Tampering via Registry
Expected signal: Sysmon Event ID 13 (Registry value set) for HKCU\SOFTWARE\TestLANSCOPE keys; Windows Security Event ID 4657 (registry value modified) if audit registry is enabled; EDR registry modification alert
- Test 3DNS Query to Suspicious LANSCOPE Management Domain
Expected signal: DNS query logs showing resolution attempt for test-mgmt.example-lab.local; network connection attempt to port 8080; process execution logs showing nslookup/dig/curl invocation; endpoint network telemetry from EDR
Unlock Pro Content
Get the full detection package for CVE-2025-61932 including response playbook, investigation guide, and atomic red team tests.