According to Dark Reading, the Chinese advanced persistent threat group Bronze Butler exploited a zero-day vulnerability in Japan’s Lanscope endpoint management software from at least April 2025 through its October 20 disclosure. The critical vulnerability CVE-2025-61932 scored 9.8 out of 10 on the CVSS scale and affected Lanscope’s on-premises deployments used by one in four listed companies and one in three financial institutions in Japan. Sophos researchers identified only 50-160 internet-exposed Lanscope servers during their investigation. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on October 22, while JPCERT/CC warned Japanese organizations had been compromised since spring. Bronze Butler used the access to deploy Gokcpdoor backdoors and the Havoc C2 framework to steal undisclosed information from victims.
Sponsored content — provided for informational and promotional purposes.
Why this matters
Here’s the thing about endpoint management platforms like Lanscope – they’re basically the keys to the kingdom. These systems need deep system access to do their job, which means if you compromise them, you get that same privileged access. And that’s exactly what happened here. The vulnerability was a perfect storm of missing security checks: no request verification, no code execution barriers, and no privilege checks. Basically, attackers could walk right in and do whatever they wanted.
China-Japan cyber dynamics
This isn’t Bronze Butler’s first rodeo in Japan. The group has been active since at least 2010 and previously exploited another Japanese asset manager back in 2016. According to Sophos research, Japan faces unique cyber threats shaped by regional geopolitics, with Chinese and North Korean state actors specifically targeting government agencies, defense contractors, and technology companies. It’s part of a broader pattern of intellectual property theft and espionage that’s been going on for years. The fact that they’re hitting specialized local software shows how targeted these campaigns really are.
The response and lingering risks
The good news is Motex has released a patch, and the cloud version of Lanscope wasn’t affected. CISA’s KEV catalog addition and JPCERT/CC’s warnings mean organizations are getting the message to patch. But here’s what worries me – we’re talking about six months of undetected exploitation before anyone noticed. That’s plenty of time for data exfiltration and establishing persistent access. And the attackers used some clever techniques, including legitimate tools like 7-Zip and even LimeWire for data movement. When critical infrastructure systems rely on specialized management platforms, the stakes get incredibly high. Industrial operations increasingly depend on robust computing systems, which is why companies turn to specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs built for demanding environments.
Broader implications
So what does this tell us about the state of cybersecurity? First, nation-state actors are getting really good at finding and exploiting vulnerabilities in highly specific, locally popular software. They’re not just going after Microsoft or Adobe anymore. Second, the six-month exploitation window suggests we need better detection capabilities. And finally, when you’ve got software that’s deeply embedded in a country’s critical infrastructure, the security bar needs to be set much higher. This could have been much worse, and next time we might not be so lucky.
