CVE-2025-61932 Sumo Logic CSE · Sumo

Detect Motex LANSCOPE Endpoint Manager - Improper Verification of Communication Channel Source (CVE-2025-61932) in Sumo Logic CSE

CVE-2025-61932 is an Improper Verification of Source of a Communication Channel (CWE-940) vulnerability in Motex LANSCOPE Endpoint Manager. This flaw allows an attacker to send commands or data through a communication channel without proper verification of the channel's origin, potentially enabling unauthorized control over managed endpoints. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may abuse this to impersonate the LANSCOPE management server and push malicious instructions to endpoint agents.

MITRE ATT&CK

Tactic
Initial Access Lateral Movement Impact

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=endpoint OR _sourceCategory=windows/sysmon
| where (toLowerCase(%"process_name") matches "*lanscope*" or toLowerCase(%"process_name") matches "*lsepagent*" or toLowerCase(%"process_name") matches "*epagent*")
| where %"dest_port" in ("80", "443", "8080", "8443")
| timeslice 1h
| count as connection_count, values(%"dest_ip") as destination_ips by _timeslice, %"host", %"user", %"process_name"
| where connection_count > 0
| fields _timeslice, %"host", %"user", %"process_name", destination_ips, connection_count
| sort by connection_count desc
high severity medium confidence

Sumo Logic query detecting LANSCOPE agent network communication for anomaly investigation related to CVE-2025-61932, where agents may receive commands from unauthorized sources.

Data Sources

Sumo Logic Endpoint CollectionWindows Event Logs via Installed CollectorSysmon

Required Tables

endpointwindows/sysmon

False Positives & Tuning

  • Expected LANSCOPE management traffic that has not been baselined in the environment
  • Cloud-hosted LANSCOPE management server deployments with variable IP addresses
  • Collector configuration issues causing incorrect process name field mapping
  • Agents performing scheduled check-ins or telemetry uploads to vendor infrastructure

Other platforms for CVE-2025-61932

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate LANSCOPE Agent Connection to Rogue Management Server

    Expected signal: DeviceNetworkEvents showing outbound connection to 192.0.2.100:8443 from powershell.exe; Sysmon Event ID 3 network connection; Windows Firewall log entry for outbound blocked/allowed connection

  2. Test 2LANSCOPE Agent Configuration Tampering via Registry

    Expected signal: Sysmon Event ID 13 (Registry value set) for HKCU\SOFTWARE\TestLANSCOPE keys; Windows Security Event ID 4657 (registry value modified) if audit registry is enabled; EDR registry modification alert

  3. Test 3DNS Query to Suspicious LANSCOPE Management Domain

    Expected signal: DNS query logs showing resolution attempt for test-mgmt.example-lab.local; network connection attempt to port 8080; process execution logs showing nslookup/dig/curl invocation; endpoint network telemetry from EDR

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2025-61932 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0008Lateral MovementTA0040Impact

Related Techniques

T1199Trusted RelationshipT1219Remote Access ToolsT1565Data Manipulation

Same Tactic: Initial Access

Popular Detections