460/68 Wednesday, November 12, 2025
Cybersecurity firm Mandiant (Google) has identified active exploitation of an n-day vulnerability in Gladinet Triofox, a secure enterprise file-sharing and remote access platform, shortly after a patch was released. The critical flaw, tracked as CVE-2025-12480 with a CVSS score of 9.1, allows attackers to bypass authentication and gain access to the Triofox Configuration interface, enabling them to upload and execute arbitrary payloads. Mandiant reports that the threat group UNC6485 has been exploiting this vulnerability since August 24, 2025, following Gladinet’s release of the fix in version 16.7.10368.56560. This marks the third Triofox vulnerability exploited in 2025, following CVE-2025-30406 and CVE-2025-11371.
The attack begins by abusing access to the Triofox Configuration page to create a new native administrator account named Cluster Admin. The attacker then logs in with this account and leverages Triofox’s antivirus feature to execute uploaded files. Since the system allows administrators to manually specify the antivirus program path, the attacker directs the path to a malicious script that runs under SYSTEM-level privileges. This script, centre_report.bat, downloads a Zoho UEMS installer from 84.200.80[.]252, which is then used to deploy remote access software such as Zoho Assist and AnyDesk on the compromised host.
After gaining remote control, the attackers perform reconnaissance, alter user credentials, add new accounts to the Local Administrators group, and attempt to escalate privileges to Domain Admin. They also download tools such as Plink and PuTTY to establish encrypted SSH tunnels through port 433, allowing inbound RDP access for continued control.
Mandiant recommends that Triofox users immediately update to the latest version and conduct a thorough audit of administrator accounts to identify any unauthorized additions. Organizations should also monitor for unusual network activity or connections to suspicious domains and IP addresses. Additional protective measures include restricting access to the Configuration interface through an IP allowlist, enforcing multi-factor authentication (MFA) for all admin accounts, and continuously monitoring for Indicators of Compromise (IoCs) associated with this campaign.
Source https://thehackernews.com/2025/11/hackers-exploiting-triofox-flaw-to.html
