Hackers Exploiting Triofox 0-Day Vulnerability to Execute Malicious Payload Abusing Anti-Virus Feature

Google Mandiant has disclosed active exploitation of CVE-2025-12480, a critical unauthenticated access vulnerability in Gladinet’s Triofox file-sharing platform.

The threat cluster tracked as UNC6485 has been weaponizing this flaw since August 2025 to gain unauthorized administrative access and establish persistent remote control over compromised systems.

The vulnerability stems from improper access control validation in Triofox versions 16.4.10317.56372 and earlier.

Attribute	Details
CVE ID	CVE-2025-12480
Vendor	Gladinet
Product	Triofox
Vulnerability Type	Unauthenticated Access Control / Host Header Injection
Severity	Critical
CVSS Score	9.8 (estimated)

Threat Actors Leverage the HTTP Host Header Attack

Attackers exploit an HTTP host header injection technique, modifying the Host header to “localhost” to bypass authentication checks and access the sensitive AdminDatabase.aspx configuration page.

This page typically displays only during initial setup. However, it becomes exposed when the authentication function CanRunCriticalPage() fails to validate the request origin properly.

Once authenticated, attackers create new administrative accounts and escalate privileges within the application.

The exploitation chain becomes particularly dangerous when combined with Triofox’s built-in anti-virus feature misconfiguration.

Attackers can set arbitrary executable paths for the anti-virus scanner, which then runs under the SYSTEM account the highest privilege level in Windows environments.

Antivirus Feature Misconfiguration

In documented attacks, threat actors uploaded malicious batch scripts to published file shares, then configured them as the anti-virus engine path.

When files are uploaded to the share, the malicious script executes automatically with SYSTEM privileges, enabling complete system compromise. Post-exploitation activities reveal the severity of these breaches.

Attackers deployed Zoho Unified Endpoint Management agents, followed by AnyDesk. They renamed the Plink utilities to establish encrypted SSH reverse tunnels to command-and-control servers.

This infrastructure enabled attackers to forward RDP traffic over encrypted channels, maintaining persistent remote desktop access while evading network-based detection systems.

Mandiant successfully contained the affected environment within 16 minutes of alert detection, leveraging Google Security Operations’ composite detection capabilities.

Identifying anomalous remote access tool deployment and suspicious file staging activities.

Gladinet released a patched version 16.7.10368.56560 addressing the vulnerability.

Mandiant recommends immediate upgrades across all affected deployments and comprehensive audits of administrative accounts.

Verification that anti-virus engines execute only authorized binaries, and monitoring for anomalous outbound SSH tunnel traffic indicating potential compromise or lateral movement attempts within enterprise networks.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.