Triofox Hack: Critical File-Sharing Flaw Exploited
▼ Summary
– Cyber threat actors are exploiting CVE-2025-12480, a critical vulnerability in Triofox versions before 16.7.10368.56560, allowing unauthorized access to setup pages.
– The threat group UNC6485, tracked by Google’s Mandiant and GTIG, began exploiting this vulnerability in August 2025 to create new admin accounts.
– Attackers bypassed access controls by spoofing localhost in HTTP headers, enabling them to trigger the Triofox initialization process and gain full privileges.
– UNC6485 abused Triofox’s built-in anti-virus feature by configuring it to run malicious scripts, achieving code execution with SYSTEM account privileges.
– Gladinet released a patched version in June 2025, but exploitation occurred on older, unpatched systems after the patch was available.
A critical security vulnerability within Gladinet’s Triofox file-sharing and remote access platform has been actively exploited by cyber attackers, allowing them to execute malicious code by manipulating the system’s built-in antivirus functionality. The flaw, identified as CVE-2025-12480, carries a severe CVSS score of 9.8 and impacts Triofox versions earlier than 16.7.10368.56560. This improper access control issue enables unauthorized individuals to reach initial setup pages even after configuration is finalized, opening the door for uploading and running arbitrary payloads.
Google’s Mandiant Threat Defense and Google Threat Intelligence Group have been tracking this malicious activity under the designation UNC6485. According to their recent findings, the exploitation campaign began in August, despite Gladinet releasing a patched software version back in June. The attackers leveraged CVE-2025-12480 to compromise older, unpatched Triofox installations.
Mandiant first detected the campaign on August 14, 2025, while handling a security incident. Investigators noticed an unusual localhost host header within HTTP log files, something they described as highly irregular for external requests and not typical for legitimate network traffic. This anomaly pointed toward an HTTP Host header vulnerability that allowed unauthenticated access to configuration pages. Attackers spoofed localhost in their requests, bypassing security controls to reach the AdminDatabase.aspx setup page, which should normally be restricted.
The security weakness originated from insufficient origin validation and excessive reliance on the host header. Specifically, the CanRunCriticalPage() function depended entirely on the unvalidated host header, permitting unauthorized remote access to critical system configuration interfaces. By exploiting this misconfiguration, UNC6485 triggered the Triofox initialization sequence, creating a new native ‘Cluster Admin’ account with comprehensive administrative rights.
Once inside, the attackers used this privileged account to upload harmful files. They then abused the platform’s integrated antivirus feature to achieve code execution. Triofox allows users to specify a custom path for the antivirus scanner, and any file placed in that location inherits the parent process account privileges, running under the powerful SYSTEM account context. By setting the antivirus engine path to point toward their malicious batch script and uploading any file to a published share, the attackers ensured their script would execute automatically, completing the compromise chain.
(Source: Info Security)
