Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480
Essential information
- Published
- 10/11/2025 21:58
- Modified
- 11/11/2025 10:23
- Tags
- 2025-11-10 CVE-2025-12480 anti-virus abuse file-sharing host header attack privilege-escalation remote access triofox unauthenticated access
- Related entities
- 1 vulnerabilities (cve), 7 observables, 1 intrusion sets (apt), 12 techniques (mitre)
Description
A critical vulnerability in Gladinet's Triofox file-sharing platform, CVE-2025-12480, allowed unauthenticated access to configuration pages, enabling arbitrary payload execution. Threat actor UNC6485 exploited this flaw as early as August 24, 2025, bypassing authentication and chaining it with anti-virus feature abuse for code execution. The vulnerability affected Triofox version 16.4.10317.56372 and was patched in version 16.7.10368.56560. Attackers created admin accounts, deployed remote access tools, conducted reconnaissance, and attempted privilege escalation. They used Zoho UEMS, Zoho Assist, and Anydesk for remote access, and set up encrypted tunnels for C2 communication. The exploit chain involved HTTP host header manipulation and abuse of the built-in anti-virus feature to execute malicious scripts.