A Chinese state-sponsored threat group, BRONZE BUTLER, has been exploiting a critical zero-day vulnerability in Motex LANSCOPE Endpoint Manager to target Japanese organizations and steal sensitive data. The flaw, identified as CVE-2025-61932, allows remote attackers to execute arbitrary code with SYSTEM privileges and affects LANSCOPE Endpoint Manager version 9.4.7.1 and earlier. Exploitation attempts began in April 2025, with the U.S. Cybersecurity and Infrastructure Security Agency adding the vulnerability to its Known Exploited Vulnerabilities Catalog in October 2025. Although the number of vulnerable devices is low, compromised systems could enable privilege escalation and lateral movement within networks. BRONZE BUTLER used Gokcpdoor, a sophisticated backdoor malware, and other tools for data exfiltration, demonstrating advanced operational security and targeting methods. Organizations with internet-facing LANSCOPE installations are urged to review their exposure, apply security updates, and monitor for connections to known command-and-control infrastructure.
Has a zero-day vulnerability in LANSCOPE Endpoint Manager been exploited to steal data?
