CVE-2025-12480

Gladinet Triofox Improper Access Control Vulnerability | Active Exploitation

CVE-2025-12480 is an improper access control vulnerability in the management and setup pages of Gladinet Triofox, an on-prem and hybrid file-sharing platform widely used by MSPs and enterprises.

The flaw allows attackers to abuse an HTTP Host header check to reach the setup workflow, create a native administrative account, and then use the admin account to configure the product’s anti-virus executable path to run a malicious script, ultimately resulting in remote code execution and full host compromise.

Google Threat Intelligence Group observed exploitation by threat cluster UNC6485 as early as August 24, 2025. CISA added CVE-2025-12480 to its Known Exploited Vulnerabilities (KEV) catalog on November 12, after previously adding two other Gladinet Triofox and CentreStack vulnerabilities from this year, reflecting ongoing exploitation activity in this product family.

Stop Guessing, Start Proving

NodeZero attack path visualization showing how CVE-2025-12480 in Triofox leads to admin account creation and remote code execution
Get Started with a Demo

Technical Details

  • Root Flaw: Improper access control in Triofox’s management/setup pages.
  • Initial Attack Vector: Attackers abuse the HTTP Host header validation to access management/AdminDatabase.aspx, complete the initial setup workflow, and create a local admin account with no credentials.
  • Remote Code Execution: The attacker then sets the “anti-virus” executable path to a malicious script and uploads a file to a share, triggering the configured AV to run the script as SYSTEM.
  • Impact: SYSTEM-level execution on the host, persistence via admin account creation, deployment of remote access tooling, data theft, and potential lateral movement into customer networks.
  • Observed activity: Mandiant/Google observed command-line downloaders and staging artifacts (e.g., http://84.200.80[.]252/..., requests from 85.239.63[.]37) on compromised hosts.

NodeZero® Offensive Security Platform — Rapid Response

The Gladinet Triofox Rapid Response test (CVE-2025-12480) enables customers to safely verify whether their Triofox instances are exploitable to this improper access control flaw (and therefore susceptible to full compromise) and to confirm mitigation.

  • Run the Rapid Response test: run the Gladinet Triofox CVE-2025-12480 Rapid Response test from the customer portal to validate exploitability and collect proof for incident response.
  • Patch immediately — apply Gladinet Triofox 16.7.10368.56560 (July 26 2025 release) or later. The July release makes the configuration pages no longer accessible after Triofox has been set up, preventing the creation of an unauthorized admin credential. The threat activity observed targeted 16.4.10317.56372. If running older builds, upgrade now and follow Gladinet release notes for post-update steps. 
  • Re-run the Rapid Response test — after patching or hardening, re-test to confirm the setup/admin path is no longer accessible and execution chains are blocked.

Affected Versions & Patch

  • Vulnerable build: Triofox 16.4.10317.56372 (targeted in observed campaigns)
  • Fixed build: Triofox 16.7.10368.56560 (released July 26 2025) and later
  • If patching is delayed: Implement firewall restrictions as a fallback mitigation

Recommended Actions (Summary)

  • Inventory and scope all Triofox instances (including multi-tenant MSP deployments).
  • Run the Rapid Response test to verify exploitability.
  • Patch to version 16.7.10368.56560 or later.
  • Contain and investigate if compromise is suspected — collect logs and forensic artifacts. Verify that the anti-virus engine used by Triofox instances aren’t configured to execute unauthorized/unknown scripts.
  • Re-run the Rapid Response test to confirm remediation.

Timeline

  • July 26 2025: Gladinet releases Triofox 16.7.10368.56560 with fix for CVE-2025-12480.
  • August 24 2025: Mandiant/GTIG first observes UNC6485 actively exploiting vulnerable Triofox instances.
  • November 12 2025: CVE-2025-12480 added to CISA KEV catalog.

References

🔗 Mandiant / Google GTIG incident report (UNC6485 activity)

🔗 Gladinet release notes for Triofox 16.7.10368.56560 (July 26, 2025)

🔗 BleepingComputer — “Hackers Abuse Triofox Antivirus Feature to Deploy RATs”

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By