Attackers have exploited a now-fixed vulnerability (CVE-2025-12480) in the Gladinet Triofox secure file sharing and remote access platform while it was still a zero-day, Mandiant revealed on Monday.
CVE-2025-12480 exploitation and attack details
Gladinet’s Triofox solution is used by medium and large businesses to securely share files and allow users to access them without a VPN.
CVE-2025-12480 is an Improper Access Control flaw allowing unauthenticated attackers to access the solution’s configuration/setup page.
According to Mandiant’s threat analysts, as early as August 24, 2025, a threat cluster they track as UNC6485 exploited CVE-2025-12480 by conducting an HTTP Host header attack.
They set the Host value to localhost, which allowed them to bypass access controls on the configuration page, and used the page to run the initial Triofox setup process to create a new native administration account (“Cluster Admin”).
This account was then used to upload malicious files and execute them by leveraging the built-in antivirus feature.
“The executed payload was a legitimate copy of the Zoho Unified Endpoint Management System (UEMS) software installer. The attacker used the UEMS agent to then deploy the Zoho Assist and Anydesk remote access utilities on the host,” the threat analysts explained.
“The attacker used Zoho Assist to run various commands to enumerate active SMB sessions and specific local and domain user information. Additionally, they attempted to change passwords for existing accounts and add the accounts to the local administrators and the ‘Domain Admins’ group.”
The attackers’ post-exploitation activity (Source: Mandiant/Google Cloud)
Attackers are having a field day with Gladinet zero-days
The attackers exploited CVE-2025-12480 on a server running Triofox v16.4.10317.56372, which was released in April 2025 to fix CVE-2025-30406, a deserialization vulnerability affecting Triofox and Gladinet’s MSP-friendly file sharing platform CentreStack.
According to its NVD entry, CVE-2025-30406 was exploited as a zero-day beginning in March 2025. By April, Huntress had identified multiple successful attacks, and noted that similarities in the attackers’ tradecraft suggested the same group was also behind the exploitation of a CrushFTP vulnerability (CVE-2025-31161) around the same period.
In October 2025, Huntress researchers raised the alarm once again: an unauthenticated Local File Inclusion zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox was being exploited by attackers in the wild. The vulnerability was fixed in CentreStack and Triofox v16.10.10408.56683, released on October 14.
And now we know that earlier that same month, Mandiant reported CVE-2025-12480 to Gladinet and the company fixed both it and CVE-2025-11371 in CentreStack and Triofox v16.10.10408.56683.
Organizations using either of the two solution are advised to upgrade to the latest available release.
Mandiant’s threat analysts also recommend:
- Auditing admin accounts
- Verifying that Triofox’s Anti-virus Engine is not configured to execute unauthorized scripts or binaries
- Checking for the presence of attacker tools and indicators of compromise (which they shared)
- Monitoring for anomalous outbound SSH traffic.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!