Full Report
Hackers exploited a critical vulnerability and the built-in antivirus feature in Gladinet's Triofox file-sharing and remote-access platform to achieve remote code execution with SYSTEM privileges. [...]
Analysis Summary
# Main Topic
Exploitation of a critical vulnerability (CVE-2025-12480) in Gladinet's Triofox file-sharing and remote-access platform, combined with the abuse of its built-in antivirus feature, to achieve Remote Code Execution (RCE) with SYSTEM privileges.
## Key Points
- The attack achieved RCE with SYSTEM privileges by leveraging an access control logic gap in Triofox.
- The exploit bypasses authentication by manipulating the HTTP `Host` header to equal 'localhost', necessary for accessing setup pages.
- The core mechanism involved configuring Triofox’s antivirus scanner location to point to a malicious script; since this configuration inherits parent process privileges, it runs under the context of the SYSTEM account.
- Post-exploitation, the attackers used a PowerShell downloader to fetch Zoho UEMS components, subsequently deploying Zoho Assist and AnyDesk for remote access and lateral movement.
- Attackers also utilized Plink and PuTTY to establish an SSH tunnel, forwarding remote traffic to the host's RDP port (3389).
## Threat Actors
- **Threat Cluster:** UNC6485 (tracked internally by Mandiant/GTIG).
- **Motivation:** Establishing persistence and remote access capabilities.
## TTPs
- **Vulnerability Exploitation:** Exploiting CVE-2025-12480 (Authentication Bypass via Host Header Spoofing).
- **Access Gaining:** Sending an HTTP GET request with `localhost` in the HTTP `Referer` URL after authentication bypass to reach the `AdminDatabase.aspx` configuration page.
- **Persistence/Execution:**
1. Creating a new administrator account ('Cluster Admin').
2. Uploading a malicious script.
3. Configuring the antivirus scanner location to execute the script under SYSTEM context.
4. Executing a PowerShell downloader to retrieve secondary payloads (Zoho UEMS installer).
- **Remote Access Infrastructure:** Deployment of Zoho Assist and AnyDesk.
- **Tunneling:** Using Plink and PuTTY for SSH port forwarding to RDP port (3389).
## Affected Systems
- **Product:** Gladinet Triofox file-sharing and remote-access platform.
- **Observed Target Version:** Version 16.4.10317.56372 (released April 3).
- **Vulnerability Scope:** Affects installations where the optional `TrustedHostIp` parameter is not configured in `web.config`, leaving the default 'localhost' check as the sole protection against unauthenticated access.
## Mitigations
- **Patching:** Immediately apply the latest security update.
- **Fix for CVE-2025-12480:** Available in Triofox version 16.7.10368.56560 (released July 26).
- **Latest General Update Recommended:** Version 16.10.10408.56683 (released October 14).
- **Configuration Review:** Audit administrator accounts for unauthorized additions.
- **Antivirus Configuration Audit:** Check that the Triofox antivirus engine is *not* configured to run unauthorized scripts or binaries.
- **General Security:** Ensure the `TrustedHostIp` parameter is correctly configured in `web.config` to prevent reliance on the default hostname check.
## Conclusion
The successful exploitation of CVE-2025-12480 provides a severe pathway for unauthenticated threat actors like UNC6485 to establish code execution at the SYSTEM level on Triofox servers, primarily via abusing the integrated antivirus function. Immediate patching to the latest version and strict auditing of application configurations, especially related to antivirus settings and host validation parameters, are critical protective measures.