Cybersecurity researchers from Mandiant Threat Defense have uncovered a critical zero-day vulnerability in Gladinet’s Triofox file-sharing platform that allowed attackers to bypass authentication and execute malicious code with system-level privileges.
The vulnerability, tracked as CVE-2025-12480, was actively exploited by the threat actor group UNC6485 as early as August 24, 2025.
The flaw affected Triofox version 16.4.10317.56372 and has since been patched in release 16.7.10368.56560.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-12480 |
| Vendor | Gladinet |
| Product | Triofox |
| Vulnerability Type | Unauthenticated Access Control / Host Header Injection |
| Severity | Critical |
| CVSS Score | 9.8 (estimated) |
How the Attack Worked
The exploitation chain involved a sophisticated two-step process. First, attackers manipulated HTTP host headers to bypass authentication controls.
By simply changing the host header value to “localhost” in their web requests, hackers gained unauthorized access to critical configuration pages that should have been restricted.
The vulnerability existed in the CanRunCriticalPage() function within Triofox’s codebase.
The function incorrectly trusted the HTTP host header without validating that requests originated from localhost, allowing remote attackers to spoof the source of the connection.
After gaining initial access, UNC6485 created a new administrator account named “Cluster Admin” through the compromised setup interface.
They then logged in and exploited a second weakness in Triofox’s built-in anti-virus feature.
The attackers discovered they could configure the anti-virus scanner path to point to their own malicious batch script instead of legitimate security software.
When files were uploaded to shared folders, Triofox automatically executed the configured “anti-virus” scanner which was actually the attacker’s payload with full SYSTEM account privileges.
This technique enabled UNC6485 to deploy multiple tools, including Zoho remote access software, AnyDesk, and SSH tunneling utilities such as Plink and PuTTY.
The threat actors used these tools to establish encrypted connections to their command-and-control servers, enumerate system information, and attempt privilege escalation by adding compromised accounts to the Domain Admins group.
Mandiant detected the intrusion within 16 minutes using Google Security Operations, identifying suspicious deployment of a remote access utility and unusual file activity in temporary directories.
Security teams observed anomalous HTTP log entries showing external requests with localhost referrer headers, a clear indicator of the exploitation attempt.
Organizations running Triofox should immediately upgrade to version 16.7.10368.56560 or later.
Security teams should audit all administrator accounts for unauthorized entries, verify anti-virus engine configurations, and hunt for attacker tools using Mandiant’s published detection queries. Monitoring for unusual outbound SSH traffic can help identify ongoing compromises.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.