New Gladinet Triofox Flaw Exploited by Attackers (CVE-2025-12480)

A newly identified security flaw within the Gladinet Triofox platform, tracked as CVE-2025-12480, is actively being leveraged by attackers to gain unauthorized administrative access. This improper access control vulnerability permits unauthenticated individuals to reach the system’s configuration page, bypassing standard security measures. Security firm Mandiant reported that a threat group known as UNC6485 has been exploiting this weakness since late August 2025.

The attackers executed an HTTP Host header attack by setting the Host value to localhost, effectively sidestepping access restrictions. Once inside the configuration area, they initiated the initial Triofox setup procedure to establish a new native administration account with Cluster Admin privileges. This newly created administrative account then served as a launchpad for uploading and running malicious files, taking advantage of the platform’s built-in antivirus functionality.

According to Mandiant’s analysis, the attackers deployed a legitimate Zoho Unified Endpoint Management System installer as their payload. They subsequently used the UEMS agent to install Zoho Assist and AnyDesk remote access tools on the compromised host. With Zoho Assist, the threat actors ran commands to enumerate active SMB sessions and gather detailed information about local and domain user accounts. They also attempted to change passwords for existing accounts and add them to both the local administrators group and the Domain Admins group.

This incident occurred on a server running Triofox version 16.4.10317.56372, a release that had previously addressed CVE-2025-30406, a deserialization vulnerability impacting both Triofox and Gladinet’s CentreStack. CVE-2025-30406 was reportedly exploited as a zero-day starting in March 2025. By April, Huntress had observed multiple successful attacks and noted similarities in methods, suggesting the same group might also be responsible for exploiting a separate CrushFTP vulnerability around the same time.

In October 2025, Huntress researchers issued another warning concerning CVE-2025-11371, an unauthenticated Local File Inclusion zero-day affecting both CentreStack and Triofox. A patch was released in version 16.10.10408.56683 on October 14. Organizations using either platform are strongly urged to upgrade to the latest available version immediately.

Mandiant’s security experts recommend several defensive measures. These include auditing all administrative accounts, verifying that the Triofox Anti-virus Engine is not configured to run unauthorized scripts or binaries, checking systems for known attacker tools and indicators of compromise, and monitoring for any unusual outbound SSH traffic.

It is important to note that CVE-2025-12480 had already been patched in Triofox version 16.7.10368.56560, released on July 26, 2025, before Mandiant observed its exploitation. Therefore, it was not a zero-day vulnerability at the time of these attacks. In related research, Rapid7 analysts confirmed that Gladinet’s CentreStack was also affected by CVE-2025-12480 and received a patch in the same version. They detailed an alternative exploitation method that, after bypassing access controls and taking over an administrator account, allows reconfiguring local storage to perform arbitrary file reads. This can leak cryptographic keys used to sign .NET ViewState payloads, ultimately leading to arbitrary code execution through .NET deserialization.

(Source: HelpNet Security)