China-linked hackers known as Bronze Butler have exploited a critical vulnerability in the Motex Lanscope Endpoint Manager, identified as CVE-2025-61932. This flaw allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges, affecting versions 9.4.7.2 and earlier. Sophos researchers discovered that the attackers have been using this zero-day exploit since mid-2025 to deploy an updated version of their Gokcpdoor malware, which establishes a proxy connection to the hackers’ command-and-control infrastructure. Motex released patches for this vulnerability on October 20, 2025, and the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61932 to its Known Exploited Vulnerabilities catalog, advising federal agencies to apply these patches by November 12, 2025. The exploitation of this flaw had been ongoing for several months before it was publicly acknowledged. Sophos notes that the latest Gokcpdoor variant has dropped support for the KCP protocol and includes enhanced C2 communication features. In addition to Gokcpdoor, Bronze Butler utilized various tools for data exfiltration, including the goddi Active Directory dumper and Remote Desktop, along with the 7-Zip archiver. The attackers likely used cloud storage services for exfiltration, with noted access to io, LimeWire, and Piping Server. Organizations using Lanscope Endpoint Manager must upgrade to versions that address this vulnerability, as there are no workarounds available. Patching is the only recommended action to mitigate the risks associated with this exploit.