"localhost" in the header — and you are the administrator. A 0-Day in Triofox hands over the keys to the system.
Authorization? It's a relic of the past, hackers believe.
Authorization? It's a relic of the past, hackers believe.
Specialists from Mandiant have identified active exploitation of a zero-day vulnerability in the Gladinet Triofox remote access and file-sharing platform. The vulnerability, CVE-2025-12480, allowed for authorization bypass and access to the configuration pages of the web interface. Through these pages, attackers created new administrator accounts and uploaded arbitrary malicious files. The issue was patched in version 16.7.10368.56560; however, the vulnerability had already been exploited by at least one threat group prior to this.
Activity leveraging this flaw was recorded on August 24, 2025. The attack is attributed to the UNC6485 cluster. The threat actors not only gained administrative access but also combined it with vulnerable functionality in the built-in antivirus to execute arbitrary code with SYSTEM privileges.
The detection of the attack began with an automated system alert, which flagged the download of third-party utilities and activity within system directories. Within 16 minutes, Mandiant specialists confirmed the threat, isolated the host, and determined that Triofox allowed authorization bypass by spoofing the Host header. If a request contained "localhost", the server automatically granted access to AdminDatabase.aspx – an initial setup page intended only for local installations.
Through this page, the attackers triggered a re-run of the setup wizard and created a full system-level administrator account named "Cluster Admin". This level of access allowed them to fully control the application and proceed to the next stage: uploading malicious scripts via the antivirus scan mechanism.
In Triofox's architecture, a user can specify an arbitrary path to an executable file designated as the antivirus engine. The uploaded script is then executed with the privileges of the parent process, granting full system access. The attackers exploited this feature to launch the centre_report.bat file, which used PowerShell to download the next stage of the attack – a Zoho UEMS installer disguised as a ZIP archive. After installing the legitimate UEMS agent, they deployed Zoho Assist and AnyDesk to maintain persistence on the target system.
Via remote access, the attackers executed information-gathering commands: viewing SMB sessions, analyzing users, attempting password changes, and adding accounts to local and domain administrator groups. For a covert communication channel, they uploaded the legitimate PuTTY and Plink utilities (renamed to silcon.exe and sihosts.exe) to the server, using them to establish an encrypted SSH tunnel to an external C2 server. This channel allowed them to tunnel RDP traffic over port 3389, enabling full remote control of the compromised machine.
Analysis of the vulnerability revealed that the primary access control check is implemented in the CanRunCriticalPage() method within the GladPageUILib.dll library. If the Host header contains "localhost", the check for trusted IP addresses in the configuration is bypassed, and access to critical pages is automatically granted. Thus, the lack of request source validation and reliance on correct configuration settings created conditions for an unauthenticated attack.
Mandiant recommends updating Triofox to the latest version, auditing all administrator accounts, and ensuring the path for the antivirus engine does not point to third-party executable files. It is also advised to analyze network traffic for anomalous SSH activity.
