A critical improper access control vulnerability in Triofox (CVE-2025-12480, CVSS 9.1) allows attackers to access initial setup pages even after the software has been configured. This flaw, present in versions prior to 16.7.10368.56560, enables unauthenticated users to bypass authentication and access sensitive configuration interfaces. The vulnerability was disclosed and patched by Gladinet, with the update specifically restricting access to these setup pages post-installation.
Despite the availability of a patch, threat actors tracked as UNC6485 have been observed actively exploiting this vulnerability since at least August 2025. Attackers leverage the flaw to create new administrative accounts by rerunning the setup process, then use these accounts to upload and execute arbitrary payloads. Notably, the exploitation chain abuses the built-in antivirus feature, allowing attackers to specify a malicious script as the antivirus engine path, which then executes with SYSTEM privileges. This incident marks the third actively exploited Triofox vulnerability in 2025, highlighting ongoing targeting of the platform by sophisticated threat actors.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
CISA added CVE-2025-12480 to its KEV catalog, formally recognizing that the Triofox flaw was being exploited in the wild. The listing elevated urgency for defenders to patch and investigate potential compromise.
On November 11, 2025 reporting, Mandiant disclosed technical details of CVE-2025-12480 exploitation, including the Host header bypass, admin account creation, and abuse of the antivirus feature for code execution. The company attributed the activity to UNC6485 and recommended upgrading, auditing admin accounts, and monitoring for suspicious outbound SSH traffic.
Help Net Security reports Gladinet released CentreStack and Triofox version 16.10.10408.56683, which also fixed CVE-2025-12480 and CVE-2025-11371. This later release provided an updated patched version for affected customers.
Post-compromise activity included deployment of Zoho UEMS, Zoho Assist, and AnyDesk, along with internal enumeration, attempted privilege escalation, and plink-like tunneling utilities. These actions established persistence and enabled further movement within victim environments.
After obtaining admin access, attackers configured Triofox's built-in antivirus engine path to run attacker-supplied scripts or payloads with SYSTEM privileges when files were uploaded. This turned the initial authentication bypass into remote code execution on affected servers.
Mandiant observed threat cluster UNC6485 actively exploiting CVE-2025-12480 as early as August 24, 2025. Attackers bypassed Host header validation to access setup pages, create unauthorized admin accounts, and compromise exposed Triofox systems.
Gladinet released Triofox version 16.7.10368.56560, which multiple sources identify as containing a fix for CVE-2025-12480. The flaw allowed improper access control via Host header manipulation that could lead to admin takeover and code execution.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
8 references tracked. Mallory keeps watching after this page renders.
horizon3.ai
Open sourceblog.alphahunt.io
Open sourcesecurityaffairs.com
Open sourcebleepingcomputer.com
Open sourcehelpnetsecurity.com
Open sourcesecurityonline.info
Open sourcecvefeed.io
Open sourcethehackernews.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.