Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480

SUMMARY :

A critical vulnerability in Gladinet's Triofox file-sharing platform, CVE-2025-12480, allowed unauthenticated access to configuration pages, enabling arbitrary payload execution. Threat actor UNC6485 exploited this flaw as early as August 24, 2025, bypassing authentication and chaining it with anti-virus feature abuse for code execution. The vulnerability affected Triofox version 16.4.10317.56372 and was patched in version 16.7.10368.56560. Attackers created admin accounts, deployed remote access tools, conducted reconnaissance, and attempted privilege escalation. They used Zoho UEMS, Zoho Assist, and Anydesk for remote access, and set up encrypted tunnels for C2 communication. The exploit chain involved HTTP host header manipulation and abuse of the built-in anti-virus feature to execute malicious scripts.

OPENCTI LABELS :

triofox,file-sharing,unauthenticated access,privilege escalation,remote access,host header attack,anti-virus abuse,cve-2025-12480


AI COMMENTARY :

1. Overview of Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480 The Triofox file-sharing platform developed by Gladinet contained a severe vulnerability tracked as CVE-2025-12480. This flaw allowed unauthenticated actors to reach administrative configuration pages and orchestrate arbitrary code execution. Disclosed in version 16.4.10317.56372 and patched in version 16.7.10368.56560, the issue posed a critical risk to organizations relying on Triofox for secure remote file access.

2. Technical Details of the Exploit Chain At the core of CVE-2025-12480 was HTTP host header manipulation. By injecting a specially crafted host header, threat actors bypassed authentication controls. The next stage of the exploit involved abusing a built-in anti-virus feature that indiscriminately executed uploaded scripts. This combination of unauthenticated access and anti-virus abuse enabled remote code execution, turning a file-sharing platform into a beachhead for deeper network intrusion.

3. Tactics Employed by UNC6485 Security telemetry indicates threat group UNC6485 began exploiting the vulnerability as early as August 24, 2025. After obtaining elevated privileges through the host header attack, they created administrative accounts and installed remote access tools. The group conducted extensive reconnaissance, mapped network assets, and set the stage for privilege escalation. Their methodical approach showcased a sophisticated understanding of file-sharing infrastructure and evasion techniques.

4. Tools and Remote Access Methods Once inside Triofox, UNC6485 deployed Zoho UEMS, Zoho Assist, and AnyDesk to maintain persistent remote access. These legitimate remote access solutions were leveraged to blend with typical administrative traffic. Additionally, the threat actors established encrypted tunnels to C2 servers, ensuring secure command-and-control communication. This multi-tool strategy amplified their ability to move laterally and evade network defenses.

5. Impact on Organizations The exploitation of CVE-2025-12480 led to unauthorized data exposure, potential data tampering, and a foothold for continued intrusion. File-sharing platforms like Triofox often store sensitive corporate documents, so unauthorized access can result in theft of intellectual property or the deployment of ransomware. The combination of unauthenticated access and privilege escalation significantly raised the severity of the breach.

6. Patch and Mitigation Strategies Gladinet released Triofox version 16.7.10368.56560 to address the vulnerability. Immediate actions for defenders include updating to the patched version, reviewing web server host header validation rules, and disabling unnecessary anti-virus script execution features. Network monitoring should focus on anomalous AnyDesk, Zoho Assist, or encrypted tunnel activity. Conducting regular audits of admin accounts and reviewing remote access logs can further reduce risk.

7. Lessons Learned and Best Practices The CVE-2025-12480 incident underscores the importance of robust input validation and cautious use of integrated security features. File-sharing solutions must enforce strict host header checks and limit code execution privileges. Organizations should adopt the principle of least privilege, continuously monitor remote access tools, and apply timely patches. Collaboration between security, IT operations, and vendor support teams is critical to swiftly remediate vulnerabilities and defend against sophisticated threat actors like UNC6485.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480