Google’s Mandiant Threat Defense has revealed that a recently patched critical flaw in Gladinet’s Triofox file-sharing and remote access software has been actively exploited by threat actors. The vulnerability, tracked as CVE-2025-12480 with a CVSS score of 9.1, allows unauthenticated attackers to bypass security checks, gain access to configuration pages, and execute arbitrary code on affected systems.
According to Mandiant, the threat cluster UNC6485 has been exploiting the flaw since August 24, 2025, nearly a month after Gladinet issued a fix in version 16.7.10368.56560. This marks the third major security issue affecting Triofox this year, following CVE-2025-30406 and CVE-2025-11371. The company’s release notes stated, “Added protection for the initial configuration pages. These pages can no longer be accessed after Triofox has been set up.”
Mandiant’s investigation found that attackers exploited the unauthenticated access vulnerability to infiltrate configuration pages and create a new administrative account named Cluster Admin. Using this account, they gained full control over the system and executed follow-on actions.
“To achieve code execution, the attacker logged in using the newly created Admin account. The attacker uploaded malicious files to execute them using the built-in antivirus feature,” said researchers Stallone D’Souza, Praveeth D’Souza, Bill Glynn, Kevin O’Flynn, and Yash Gupta.
The exploit hinged on manipulating Triofox’s antivirus configuration. “To set up the antivirus feature, the user is allowed to provide an arbitrary path for the selected anti-virus. The file configured as the antivirus scanner location inherits the Triofox parent process account privileges, running under the context of the SYSTEM account,” Mandiant explained.
The attackers ran a malicious batch script, “centre_report.bat,” redirecting the antivirus path to execute it. The script downloaded and installed Zoho Unified Endpoint Management System (UEMS) from a malicious IP address, which was then used to deploy Zoho Assist and AnyDesk for remote access. With this access, the adversaries performed reconnaissance, altered credentials, and escalated privileges by adding compromised accounts to Domain Admins.
To avoid detection, the attackers also used tools such as Plink and PuTTY to establish encrypted SSH tunnels for remote desktop access (RDP). While the campaign’s ultimate motive is still unclear, Mandiant strongly advises Triofox customers to update to the latest version, audit admin accounts, and review antivirus configurations to prevent unauthorized script execution.
