Cyber threat actors have been exploiting a vulnerability in Gladinet’s Triofox, a file-sharing and remote access platform, and chained it with the abuse of the built-in anti-virus feature to achieve code execution.
The threat activity cluster conducting the exploit is tracked as UNC6485 by Google’s Mandiant Threat Defense and Google Threat Intelligence Group (GTIG), according to a new report published on November 10.
The vulnerability, CVE-2025-12480, was discovered and reported by Mandiant on November 10. It is a critical improper access control flaw (CVSS: 9.8) affecting Triofox versions prior to 16.7.10368.56560.
When exploited, it allows an attacker to gain access to initial setup pages even after setup is complete, enabling the upload and execution of arbitrary payloads.
Google contacted Gladinet before disclosing the vulnerability.
The tech giant confirmed that the software owner released a patched version of Triofox, 16.7.10368.56560, in June.
However, the exploitation campaign started in August, with UNC6485 exploiting CVE-2025-12480 on older versions of Triofox.
How UNC64485 Exploited CVE-2025-12480
Mandiant detected the malicious campaign while responding to a security incident and assessed that it started on August 14, 2025.
The researchers identified an anomalous entry in the HTTP log file – a localhost host header – which they described as “highly irregular” in a request originating from an external source and “typically not expected in legitimate traffic.”
“The investigation revealed an unauthenticated access vulnerability that allowed access to configuration pages. UNC6485 used these pages to run the initial Triofox setup process to create a new native admin account, Cluster Admin, and used this account to conduct subsequent activities,” wrote the Mandiant and GTIG researchers in the report.
Mandiant discovered that attackers exploited an HTTP Host header vulnerability by spoofing localhost in requests, bypassing access controls to reach the normally restricted AdminDatabase.aspx setup page.
By abusing this misconfiguration, where the CanRunCriticalPage() function relied solely on the unvalidated host header, they triggered the Triofox initialization process, creating a new native ‘Cluster Admin’ account with full privileges.
The flaw stemmed from missing origin validation and over-reliance on the host header, allowing unauthenticated remote access to critical configuration pages.
To achieve code execution, the attackers logged in using the newly created Admin account and uploaded malicious files to execute them using the built-in anti-virus feature.
To set up the anti-virus feature, the user is allowed to provide an arbitrary path for the selected anti-virus. The file configured as the anti-virus scanner location inherits the Triofox parent process account privileges, running under the context of the SYSTEM account.
The attackers were able to run their malicious batch script by configuring the path of the anti-virus engine to point to their script.
Then, by uploading an arbitrary file to any published share within the Triofox instance, the configured script will be executed.
After gaining initial access, the attackers deployed a disguised Zoho Unified Endpoint Management System (UEMS) installer via PowerShell to drop Zoho Assist and AnyDesk for remote control.
The attackers then used these tools to enumerate Server Message Block (SMB) sessions, escalate privileges by modifying domain/admin group memberships and exfiltrate credentials.
For persistence and evasion, they established an SSH tunnel via Plink/PuTTY to their command-and-control (C2) server, enabling covert remote desktop protocol (RDP) access over port 433 while masking traffic as legitimate remote management activity.
Upgrade Triofox, Audit Admin Accounts and Hunt for Attacker Tools
While the CVE-2025-12480 vulnerability has been patched since June, the malicious campaign identified by Mandiant shows evidence that threat actors were exploiting unpatched Triofox versions in August.
Therefore, the GTIG report urged Triofox users not only to upgrade to the latest release but also recommended auditing admin accounts and verifying that Triofox’s Anti-virus Engine is not configured to execute unauthorized scripts or binaries.
“Security teams should also hunt for attacker tools using our hunting queries listed at the bottom of this post and monitor for anomalous outbound SSH traffic,” the report concluded.
Another vulnerability affecting Triofox, tracked as CVE-2025-11371, was recently added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.
