Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480

Nov. 11, 2025, 10:23 a.m.

Description

A critical vulnerability in Gladinet's Triofox file-sharing platform, CVE-2025-12480, allowed unauthenticated access to configuration pages, enabling arbitrary payload execution. Threat actor UNC6485 exploited this flaw as early as August 24, 2025, bypassing authentication and chaining it with anti-virus feature abuse for code execution. The vulnerability affected Triofox version 16.4.10317.56372 and was patched in version 16.7.10368.56560. Attackers created admin accounts, deployed remote access tools, conducted reconnaissance, and attempted privilege escalation. They used Zoho UEMS, Zoho Assist, and Anydesk for remote access, and set up encrypted tunnels for C2 communication. The exploit chain involved HTTP host header manipulation and abuse of the built-in anti-virus feature to execute malicious scripts.

External References

https://otx.alienvault.com/pulse/691260231a04d225ffb91c93
https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480
Tags
remote access
privilege escalation
file-sharing
triofox
unauthenticated access
2025-11-10
CVE-2025-12480
anti-virus abuse
host header attack

Date

  • Created: Nov. 10, 2025, 9:58 p.m.
  • Published: Nov. 10, 2025, 9:58 p.m.
  • Modified: Nov. 11, 2025, 10:23 a.m.

Indicators

  • ac7f226bdf1c6750afa6a03da2b483eee2ef02cd9c2d6af71ea7c6a9a4eace2f
  • 50479953865b30775056441b10fdcb984126ba4f98af4f64756902a807b453e7
  • 43c455274d41e58132be7f66139566a941190ceba46082eb2ad7a6a261bfd63f
  • 16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc77b25a90837f28ad
  • 216.107.136.46
  • http://84.200.80.252/SAgentInstaller_16.7.10368.56560.zip'
  • http://84.200.80.252/SAgentInstaller_16.7.10368.56560.zip
Download all indicators here!

Attack Patterns

  • UNC6485

Linked vulnerabilities

CVE-2025-12480

9.1
    Triofox
  • Triofox
Published: November 10, 2025