In recent developments, cybersecurity experts have identified a critical vulnerability in Gladinet’s Triofox platform, a widely used file-sharing and remote access solution. This flaw, designated as CVE-2025-12480 with a CVSS score of 9.1, allows unauthorized access to the platform’s configuration pages, enabling attackers to upload and execute arbitrary code. The exploitation of this vulnerability has been linked to a threat actor group known as UNC6485, which has been actively leveraging this flaw since August 24, 2025.
Understanding CVE-2025-12480
CVE-2025-12480 is an improper access control vulnerability present in Triofox versions prior to 16.7.10368.56560. The flaw permits unauthenticated users to access initial setup pages even after the platform’s deployment, effectively bypassing authentication mechanisms. This oversight provides a gateway for attackers to gain administrative control over the system.
Exploitation Tactics Employed by UNC6485
The threat group UNC6485 has been observed exploiting this vulnerability through a series of calculated steps:
1. Unauthorized Access to Configuration Pages: By exploiting CVE-2025-12480, attackers gain access to Triofox’s configuration interfaces without the need for authentication.
2. Creation of a New Administrative Account: Utilizing the setup process accessible via the configuration pages, the attackers create a new native administrator account named Cluster Admin.
3. Execution of Malicious Payloads via Antivirus Feature: With administrative privileges, the attackers manipulate Triofox’s built-in antivirus feature. They configure the antivirus scanner path to point to a malicious batch script (centre_report.bat), which is then executed with SYSTEM-level privileges.
4. Deployment of Remote Access Tools: The batch script downloads and installs remote access programs such as Zoho Assist and AnyDesk from external servers, establishing persistent access to the compromised system.
5. Privilege Escalation and Lateral Movement: The attackers use the remote access tools to conduct reconnaissance, change passwords of existing accounts, and add these accounts to privileged groups like Domain Admins, thereby escalating their access within the network.
6. Establishment of Encrypted Communication Channels: To evade detection, the attackers deploy tools like Plink and PuTTY to set up encrypted tunnels to command-and-control servers, facilitating secure communication and data exfiltration.
Mitigation Measures and Recommendations
In response to the active exploitation of CVE-2025-12480, Gladinet has released a patch in Triofox version 16.7.10368.56560, which addresses the vulnerability by restricting access to the initial configuration pages post-setup. Users are strongly advised to update to this latest version to mitigate the risk.
Additionally, organizations should implement the following security measures:
– Audit Administrative Accounts: Regularly review and verify all administrative accounts to detect any unauthorized additions.
– Monitor Antivirus Configurations: Ensure that the antivirus engine within Triofox is not configured to execute unauthorized scripts or binaries.
– Restrict Access to Configuration Interfaces: Implement network segmentation and access controls to limit access to Triofox’s configuration pages to trusted networks only.
– Conduct Regular Security Assessments: Perform periodic vulnerability assessments and penetration testing to identify and remediate potential security gaps.
Broader Implications and Context
The exploitation of CVE-2025-12480 is part of a series of vulnerabilities identified in Triofox over the past year. Earlier in 2025, two other critical flaws were discovered:
– CVE-2025-30406: A deserialization vulnerability due to hardcoded machine keys in the web.config files, allowing remote code execution.
– CVE-2025-11371: An unauthenticated local file inclusion vulnerability enabling attackers to access sensitive system files and potentially achieve remote code execution.
These recurring vulnerabilities underscore the importance of proactive security practices, including timely patch management, continuous monitoring, and user education to mitigate the risks associated with software flaws.
Conclusion
The active exploitation of CVE-2025-12480 in Gladinet’s Triofox platform highlights the evolving tactics of threat actors and the critical need for organizations to stay vigilant. By promptly applying patches, auditing system configurations, and implementing robust security measures, organizations can protect their systems from such sophisticated attacks.
