A critical remote code execution (RCE) vulnerability (CVE-2025-61932, CVSS 9.8) was discovered in LANSCOPE Endpoint Manager (On-Premise Edition, v9.4.7.1 and earlier), affecting both the Client Program (MR) and Detection Agent (DA). The flaw allows unauthenticated attackers to execute arbitrary commands with high privileges by sending crafted network packets, bypassing all user interaction (no clicks or email openings required). Evidence confirms active exploitation in real-world attacks, with malicious packets already targeting customer networks.The vulnerability poses an immediate risk to organizations using the on-premise solution, as it grants attackers direct control over endpoints without detection. While the Cloud Edition remains unaffected, all on-premise clients must apply the emergency patch to prevent compromise. Failure to patch exposes systems to full takeover, enabling attackers to deploy malware, steal data, or pivot deeper into networks. Administrators are urged to roll out updates immediately and monitor for suspicious traffic targeting the vulnerable agents. The flaw’s severity is amplified by its ease of exploitation and the high-value access it provides to corporate environments.
Source: https://cyberpress.org/lanscope-endpoint-manager-vulnerability/
TPRM report: https://www.rankiteo.com/company/taiwantelogy
"id": "tai1192311102125",
"linkid": "taiwantelogy",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'name': 'Organizations using LANSCOPE Endpoint Manager '
'On-Premise Edition',
'type': ['Enterprise', 'Government', 'SMB']}],
'attack_vector': ['Network-based', 'Specially crafted packets'],
'customer_advisories': ['Customers using on-premise LANSCOPE Endpoint Manager '
'advised to contact their IT administrators to '
'confirm patch application',
'No action required for Cloud Edition users'],
'description': 'A critical remote code execution vulnerability '
'(CVE-2025-61932) has been discovered in the on-premise '
'edition of LANSCOPE Endpoint Manager, allowing '
'unauthenticated attackers to run arbitrary commands with high '
'privileges on affected systems. The flaw impacts both the '
'Client Program (MR) and the Detection Agent (DA) in version '
'9.4.7.1 and earlier. Real-world exploit attempts have already '
'been observed, making prompt patching imperative. The '
'vulnerability is triggered by specially crafted network '
'packets sent to computers running the vulnerable software, '
'bypassing all user interaction requirements (no clicks or '
'email openings needed). Evidence indicates malicious packets '
'exploiting this weakness have been delivered to customer '
'networks in live environments. Only the on-premise edition is '
'affected; the Cloud Edition remains unaffected. A security '
'update is now available, and administrators are advised to '
'patch immediately and monitor networks for unusual incoming '
'packets targeting these agents.',
'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
'exploitation of critical '
'vulnerability'],
'operational_impact': ['High risk of unauthorized code execution '
'with elevated privileges',
'Potential lateral movement within '
'networks'],
'systems_affected': ['On-premise endpoints running LANSCOPE '
'Endpoint Manager (MR and DA components)']},
'initial_access_broker': {'entry_point': ['Network packets targeting '
'vulnerable MR/DA agents']},
'investigation_status': 'Ongoing (real-world exploits observed; patch '
'available)',
'lessons_learned': ['Critical vulnerabilities in endpoint management software '
'pose severe risks due to high privilege levels',
'On-premise solutions require immediate patching to '
'prevent exploitation',
'Network monitoring is essential to detect exploitation '
'attempts of client-side vulnerabilities'],
'post_incident_analysis': {'corrective_actions': ['Released security patch '
'addressing the '
'vulnerability',
'Advisory issued for '
'immediate patching and '
'network monitoring'],
'root_causes': ['Vulnerability in client-side '
'software (MR and DA components) '
'allowing unauthenticated RCE',
'Lack of input validation for '
'network packets']},
'recommendations': ['Patch all on-premise LANSCOPE Endpoint Manager '
'installations (MR and DA components) immediately using '
'the provided security update',
'Monitor network traffic for malicious packets targeting '
'LANSCOPE agents, especially on ports used by MR/DA '
'components',
'Prioritize updates for systems with high-value data or '
'critical operational roles',
'Review and update incident response plans to include '
'rapid patching procedures for client-side endpoint '
'management vulnerabilities',
'Consider network segmentation to limit lateral movement '
'in case of exploitation',
'Evaluate the feasibility of migrating to the Cloud '
'Edition, which is unaffected by this vulnerability'],
'references': [{'source': 'LANSCOPE Support Portal (Security Update)'},
{'source': 'CVE Details for CVE-2025-61932'}],
'response': {'containment_measures': ['Immediate patching of all on-premise '
'endpoints',
'Network monitoring for malicious '
'packets targeting MR/DA agents'],
'enhanced_monitoring': ['Monitor networks for unusual incoming '
'packets targeting LANSCOPE agents'],
'remediation_measures': ['Apply security update from LANSCOPE '
'support portal',
'Follow standard software upgrade '
'procedure for MR client and DA agent']},
'stakeholder_advisories': ['Administrators urged to apply patches immediately',
'Network teams advised to monitor for exploitation '
'attempts'],
'title': 'Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint '
'Manager (CVE-2025-61932)',
'type': ['Vulnerability',
'Remote Code Execution (RCE)',
'Privilege Escalation'],
'vulnerability_exploited': {'affected_components': ['Client Program (MR)',
'Detection Agent (DA)'],
'affected_product': 'LANSCOPE Endpoint Manager '
'On-Premise Edition',
'affected_versions': ['9.4.7.1 and earlier'],
'cve_id': 'CVE-2025-61932',
'cvss_score': {'score': 9.8,
'severity': 'Critical',
'version': '3.0'},
'exploit_status': ['Publicly disclosed',
'Real-world exploits observed'],
'impact': {'availability': 'High',
'confidentiality': 'High',
'integrity': 'High'},
'privileges_required': 'None (unauthenticated)'}}