Security Flaw Uncovered in Gladinet’s Triofox Platform
In a recent revelation, Google’s Mandiant Threat Defense has identified an n-day exploitation of a critical security vulnerability within Gladinet’s Triofox file-sharing and remote access platform. This vulnerability, designated as CVE-2025-12480 and carrying a CVSS score of 9.1, enables attackers to bypass authentication protocols, granting them access to sensitive configuration pages. This breach facilitates the upload and execution of arbitrary payloads, posing significant risks to users.
Mandiant’s investigation traced the exploitation back to a threat cluster known as UNC6485, which began weaponizing this flaw on August 24, 2025. This was notably after Gladinet had issued patches in version 16.7.10368.56560, aimed at mitigating the vulnerability. Alarmingly, CVE-2025-12480 marks the third flaw in Triofox that has been actively exploited this year, following CVE-2025-30406 and CVE-2025-11371.
According to the software’s release notes, “Added protection for the initial configuration pages” has been implemented, indicating that these pages are now inaccessible post-setup of Triofox. However, Mandiant reported that the threat actor leveraged the vulnerability to access these configuration pages, subsequently creating a new native admin account named Cluster Admin through the setup process. This newly established account was then utilized for further malicious activities.
Security researchers Stallone D’Souza, Praveeth DSouza, Bill Glynn, Kevin O’Flynn, and Yash Gupta detailed that the attacker executed code by logging in with the newly created Admin account. They uploaded malicious files that were executed via the platform’s built-in antivirus feature. The configuration of the antivirus allowed the user to specify an arbitrary path for the selected antivirus, which inherited the privileges of the Triofox parent process, running under the context of the SYSTEM account.
Specifically, the attackers executed a malicious batch script named “centre_report.bat” by directing the antivirus engine’s path to this script. This script was designed to download an installer for Zoho Unified Endpoint Management System (UEMS) from a specified IP address, facilitating the deployment of remote access tools such as Zoho Assist and AnyDesk on the compromised host.
The remote access capabilities provided by Zoho Assist were subsequently used for reconnaissance activities, including attempts to alter passwords for existing accounts and elevate privileges by adding accounts to local administrators and the “Domain Admins” group.
To evade detection, the threat actors employed tools like Plink and PuTTY to establish an encrypted tunnel to a command-and-control (C2) server over port 433 via SSH, ultimately aiming to enable inbound RDP traffic.
While the precise objectives of this campaign remain unclear, Mandiant advises all Triofox users to promptly update to the latest version, conduct audits of admin accounts, and ensure that the Triofox antivirus engine is not set to execute unauthorized scripts or binaries.
