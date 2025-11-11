Cyber threat actors have been exploiting a vulnerability in Gladinet’s Triofox, a file-sharing and remote access platform, and chained it with the abuse of the built-in anti-virus feature to achieve code execution.

The threat activity cluster conducting the exploit is tracked as UNC6485 by Google’s Mandiant Threat Defense and Google Threat Intelligence Group (GTIG), according to a new report published on November 10.

The vulnerability, CVE-2025-12480, was discovered and reported by Mandiant on November 10. It is a critical improper access control flaw (CVSS: 9.8) affecting Triofox versions prior to 16.7.10368.56560.

When exploited, it allows an attacker to gain access to initial setup pages even after setup is complete, enabling the upload and execution of arbitrary payloads.

Google contacted Gladinet before disclosing the vulnerability.

The tech giant confirmed that the software owner released a patched version of Triofox, 16.7.10368.56560, in June.

However, the exploitation campaign started in August, with UNC6485 exploiting CVE-2025-12480 on older versions of Triofox.

How UNC64485 Exploited CVE-2025-12480

Mandiant detected the malicious campaign while responding to a security incident and assessed that it started on August 14, 2025.

The researchers identified an anomalous entry in the HTTP log file – a localhost host header – which they described as “highly irregular” in a request originating from an external source and “typically not expected in legitimate traffic.”

“The investigation revealed an unauthenticated access vulnerability that allowed access to configuration pages. UNC6485 used these pages to run the initial Triofox setup process to create a new native admin account, Cluster Admin, and used this account to conduct subsequent activities,” wrote the Mandiant and GTIG researchers in the report.

Mandiant discovered that attackers exploited an HTTP Host header vulnerability by spoofing localhost in requests, bypassing access controls to reach the normally restricted AdminDatabase.aspx setup page.

By abusing this misconfiguration, where the CanRunCriticalPage() function relied solely on the unvalidated host header, they triggered the Triofox initialization process, creating a new native ‘Cluster Admin’ account with full privileges.

The flaw stemmed from missing origin validation and over-reliance on the host header, allowing unauthenticated remote access to critical configuration pages.

To achieve code execution, the attackers logged in using the newly created Admin account and uploaded malicious files to execute them using the built-in anti-virus feature.

To set up the anti-virus feature, the user is allowed to provide an arbitrary path for the selected anti-virus. The file configured as the anti-virus scanner location inherits the Triofox parent process account privileges, running under the context of the SYSTEM account.

The attackers were able to run their malicious batch script by configuring the path of the anti-virus engine to point to their script.

Then, by uploading an arbitrary file to any published share within the Triofox instance, the configured script will be executed.