China-Linked Tick Group Exploits Lan scope Zero-Day to Hijack Corporate Systems CVSS : 9.3 Critical

China-Linked Tick Group Exploits Lan scope Zero-Day to Hijack Corporate Systems CVSS : 9.3 Critical

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

China-Linked Tick Group Exploits Lan scope Zero-Day to Hijack Corporate Systems CVSS : 9.3 Critical

Information

   Lan Scope Endpoint Manager is a tool designed to manage and control computers and servers within a network. It functions to regulate device access, monitor employee activity, and manage installed software in an organized manner, enabling organizations to maintain IT security and system efficiency effectively. However, because Lan Scope serves as a central platform for device management, it also becomes a potential security vulnerability. If a flaw exists, attackers can gain direct access to sensitive data or interfere with system operations

Incident

  A China-linked hacker group known as Tick Group exploited a Zero-Day vulnerability in Lan Scope Endpoint Manager to gain control over corporate systems across Asia. This high-severity vulnerability allows attackers to execute commands with system-level privileges without authentication. The flaw exists in the agent and client components of Lan Scope, the software used by organizations to manage and control networked computers. After successfully compromising systems, Tick Group deployed a backdoor called Gokcpdoor to establish persistent access to the attackers’ command-and-control servers. They also leveraged techniques such as DLL side-loading and deployed additional tools including OAED Loader, Havoc, Remote Desktop tunnels, and 7‑Zip to move laterally within networks, exfiltrate sensitive data, and evade detection by security systems. The impact of this incident is severe: organizations using vulnerable versions of Lan Scope are directly at risk. Attackers can access critical systems, steal confidential information, or rapidly propagate malware across other devices within the organization

Advice

(Because zero-day vulnerabilities are not known Protection is difficult)

  - Apply patches immediately.

  - Monitor systems and devices: Detect abnormal behavior and malware

  - Deploy monitoring systems: Use SIEM/EDR to detect suspicious activities  - Backup data and prepare an incident response plan

  - Restrict user privileges

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)

Reference

  - https://thehackernews.com/2025/10/china-linked-tick-group-exploits.html

   - https://cvemate.com/vulnerability/CVE-2025-61932

  - https://www.bleepingcomputer.com/news/security/cisa-warns-of-lanscope-endpoint-manager-flaw-exploited-in-attacks/

  - https://www.cybersecurity-help.cz/vulnerabilities/117389/

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2025-59295

14/10/2025

17/10/2025

Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server 2025
Windows 10 Version 1607
Windows 11 Version 24H2
Windows 11 Version 23H2
Windows 10 Version 22H2
Windows 11 Version 22H2
Windows 10 Version 21H2
Windows 10 Version 1809
Windows 11 Version 25H2
For other versions, please refer to the reference link for details.

Heap-Based Overflow

8.8

Heap-based buffer overflow in Internet Explorer allows an unauthorized attacker to execute code over a network.

Update to the latest patch version according to the affected products. For more details, please refer to the provided link.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59295
2

CVE-2025-49552

14/10/2025

17/10/2025

Adobe Connect versions 12.9 and earlier

Cross Site Scripting

8.1

Adobe Connect versions 12.9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a high-privileged attacker to execute malicious scripts in a victim's browser. Exploitation of this issue requires user interaction.

Update to version 12.10

https://nvd.nist.gov/vuln/detail/CVE-2025-49552
3

CVE-2025-54263

14/10/2025

16/10/2025

Adobe Commerce versions
2.4.9-alpha2,
2.4.8-p2,
2.4.7-p7,
2.4.6-p12,
2.4.5-p14,
2.4.4-p15
and earlier

Incorrect Authorization

8.1

Adobe Commerce is affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and maintain unauthorized access. Exploitation of this issue does not require user interaction.

Adobe recommends updating the patch to the latest available version that includes the fix.

https://nvd.nist.gov/vuln/detail/CVE-2025-54263

 
 4

CVE-2025-8486

15/10/2025

16/10/2025

Lenovo PC Manager versions
2.6.40.3154,
2.8.90.11211,
5.1.80.9023,
5.1.110.5082
and 5.1.120.7041

Unnecessary Privileges

8.5

A potential vulnerability was reported in Lenovo PC Manager that could allow a local authenticated user to execute code with elevated privileges.

Upgrade to version 5.1.140.9262 .

https://nvd.nist.gov/vuln/detail/CVE-2025-8486
5

CVE-2025-20710

14/10/2025

16/10/2025

Chipset MediaTek
MT6890
MT7915
MT7916
MT7981
MT7986

Integer Overflow

6.3

In wlan AP driver, there is a possible out of bounds write due to an integer overflow. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Update to Patch ID WCNCR00418785

https://nvd.nist.gov/vuln/detail/CVE-2025-20710

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

New HttpTroy Backdoor Poses as VPN Invoice in Targeted Cyberattack on South Korea​

03/11/2025​

Spear-Phishing, Dropper/Loader​

The Kimsuky group has released a phishing campaign targeting users in South Korea. The attack involves an attached fake ZIP file named to resemble a "VPN invoice" (or similar).When the contained SCR file is opened, it installs the HttpTroy Backdoor malware.Key Technical DetailsMulti-layered Structure: The malware utilizes a complex, multi-stage structure (dropper $ ightarrow$ loader $ ightarrow$ backdoor).Evasion Technique: It impersonates an AhnLab process, a well-known security software company in South Korea, to avoid detection.HttpTroy Capabilities:Remote command and control (C2).Upload/download files, capture screenshots, and execute privileged commands.Open a reverse shell and perform file cleanup to remove traces of the attack.Uses advanced obfuscation techniques (API hashing, dynamic API loading, XOR string encoding) to evade detection.TargetsThe campaign primarily targets organizations and individuals in South Korea, particularly those who use VPNs and external connection systems.​
  • Avoid opening ZIP/SCR files that claim to be VPN documents or invoices without verifying the source.​
  • Limit Admin privileges on user devices and review any new services or tasks that are created without authorization.​
  • Build awareness by conducting simulated phishing exercises and training users to verify attached files or links before opening them.​

Ref:https://thehackernews.com/2025/11/new-httptroy-backdoor-poses-as-vpn.html

 

 

04 November 2025

Viewed 281 time

Engine by shopup.com