Cybersecurity researchers have uncovered an active exploitation campaign targeting a critical vulnerability in Gladinet’s Triofox, a popular enterprise file-sharing and remote access platform. The flaw, tracked as CVE-2025-12480, allows attackers to bypass access controls, run the product’s initial setup again, and ultimately execute malicious code on vulnerable systems.
The campaign was discovered by Google’s Mandiant Threat Defense and Google Threat Intelligence Group (GTIG), who attributed the activity to a threat cluster named UNC6485. According to the joint report published on November 10, attackers have been abusing the vulnerability since August 2025, even though Gladinet released a fix several months earlier.
The vulnerability affects Triofox versions prior to 16.7.10368.56560 and carries a CVSS score of 9.8, indicating a severe security risk. At its core, CVE-2025-12480 is an improper access control flaw that lets attackers reach Triofox’s setup pages even after the system has already been configured.
This loophole was possible due to a failure to validate the origin of requests. Instead of relying on proper authentication, a key function in Triofox trusted the HTTP Host header provided by the client — a value that can easily be spoofed. By setting the Host header to localhost, attackers could trick the software into treating them as a trusted internal request.
This led to unrestricted access to AdminDatabase.aspx, a configuration page that should never be exposed to external users.
With access to these restricted pages, UNC6485 re-ran the product’s initial setup workflow. This gave them the ability to create a new admin-level account named Cluster Admin, granting full system privileges without any need for real authentication.
Mandiant noted that this behavior was first detected through an unusual log entry: an HTTP request from an external source that strangely contained a localhost host header. This indication of host header spoofing helped analysts uncover how the attackers bypassed Triofox’s defenses.
Once they gained control through the new admin account, the attackers moved to the next step — achieving code execution.
One of the most alarming elements of this campaign was how the attackers abused Triofox’s anti-virus scanning feature.
Triofox allows administrators to configure any file path as the location of an anti-virus engine. However, files configured in this path run with SYSTEM-level privileges, the highest access level on Windows systems.
UNC6485 exploited this by:
-
Logging in with the newly created admin account
-
Setting the anti-virus engine path to point to a malicious batch script
-
Uploading any file to a shared directory to trigger execution of that script automatically
With this technique, the attackers were able to achieve remote code execution without needing any exploit beyond the initial vulnerability.
After securing code execution, the attackers began installing remote access tools to maintain persistence and expand their reach within the victim network.
They used PowerShell to deploy a trojanized installer for Zoho’s Unified Endpoint Management System (UEMS), which stealthily installed Zoho Assist and AnyDesk — applications commonly used for remote IT support, but here abused for unauthorized control.
Using these tools, UNC6485 performed several high-impact actions:
Enumerating SMB sessions
Modifying domain and admin group memberships to escalate privileges
Exfiltrating credentials and other sensitive information
To hide their activity, the attackers created an SSH tunnel using Plink/PuTTY to route Remote Desktop Protocol (RDP) traffic through port 433. This masked the RDP activity as normal management traffic and made detection significantly harder.
Although the vulnerability was patched in June 2025, the active exploitation seen in August confirms that many organizations had not yet applied the update. Because of the severity and the ease of exploitation, this poses a high risk.
Mandiant and GTIG recommend that all Triofox users take immediate action:
1. Upgrade to the Latest Patch
Install Triofox version 16.7.10368.56560 or later. Older versions remain vulnerable to CVE-2025-12480.
2. Audit All Admin Accounts
Check for unknown or suspicious accounts, especially ones resembling “Cluster Admin,” which may indicate compromise.
3. Review Anti-Virus Engine Configuration
Ensure the anti-virus path is not pointing to an unauthorized script, binary, or non-standard file location.
4. Hunt for Attacker Tools
Look for AnyDesk, Zoho Assist, Plink, PuTTY, or unusual PowerShell activity. GTIG’s report includes detailed hunting queries for security teams.
5. Monitor Outbound SSH Traffic
Outbound SSH connections, especially on unusual ports such as 433, may signal tunneling activity used for covert remote access.
The Triofox vulnerability highlights how dangerous improper access control can be when combined with overlooked configuration features. In this case, a simple spoofed header enabled attackers to take over enterprise servers, escalate privileges, and deploy remote access tools with SYSTEM-level permissions.
Organizations using Triofox must act quickly to patch systems, investigate for signs of compromise, and strengthen monitoring to prevent similar abuse in the future.
Interesting Article : CVE-2025-21042, Samsung Zero-Day Exploited to Deploy LANDFALL Spyware
Pingback: Microsoft Issues Urgent Fix for Actively Exploited Windows Zero-Day