Full Report
Cybersecurity researchers from Mandiant Threat Defense have uncovered a critical zero-day vulnerability in Gladinet’s Triofox file-sharing platform that allowed attackers to bypass authentication and execute malicious code with system-level privileges. The vulnerability, tracked as CVE-2025-12480, was actively exploited by the threat actor group UNC6485 as early as August 24, 2025. The flaw affected Triofox version 16.4.10317.56372 and has […] The post Hackers Exploit Triofox 0-Day to Deploy Malicious Payloads Using Anti-Virus Feature appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Analysis Summary
# Vulnerability: Triofox Zero-Day Allowing Authentication Bypass and System-Level Code Execution
## CVE Details
- CVE ID: CVE-2025-12480
- CVSS Score: 9.8 (Critical) (Estimated)
- CWE: Unauthenticated Access Control / Host Header Injection (Implied by description)
## Affected Systems
- Products: Gladinet Triofox file-sharing platform
- Versions: 16.4.10317.56372
- Configurations: Any configuration allowing external HTTP requests processed by the vulnerable function.
## Vulnerability Description
This is a critical zero-day vulnerability, actively exploited by UNC6485. It involves a two-step chain:
1. **Authentication Bypass:** Attackers manipulate the HTTP `Host` header, setting it to "localhost," to bypass checks in the `CanRunCriticalPage()` function. This grants them unauthorized access to critical configuration pages.
2. **Privilege Escalation/RCE:** Once authenticated, the attacker modifies the path for the built-in anti-virus scanner feature to point to a malicious batch script. When files are uploaded, Triofox executes this script with **SYSTEM-level privileges**.
## Exploitation
- Status: Exploited in the wild (Actively exploited by UNC6485 starting Aug 24, 2025)
- Complexity: Medium (Requires specific manipulation of HTTP headers followed by configuration changes)
- Attack Vector: Network
## Impact
- Confidentiality: High (Attacker established C2 connections, enumerated systems)
- Integrity: High (Attacker created new admin accounts and deployed arbitrary code)
- Availability: Medium (RCE and deployment of tools could lead to service disruption)
## Remediation
### Patches
- Upgrade immediately to **version 16.7.10368.56560 or later**.
### Workarounds
- **Audit Administrator Accounts:** Immediately search for and remove unauthorized administrator accounts (e.g., "Cluster Admin").
- **Verify Anti-Virus Configuration:** Ensure the configured anti-virus engine path points only to legitimate security software paths, not user-writable locations or batch scripts.
## Detection
- **Indicators of Compromise (IOCs):**
- Unusual HTTP log entries showing external requests referencing `localhost` in the `Host` header (or appearing to originate from localhost).
- Presence of newly created administrator accounts (e.g., "Cluster Admin").
- Deployment of remote access utilities (Zoho, AnyDesk) or SSH tunneling tools (Plink, PuTTY).
- Attempted privilege escalation by manipulating group memberships (e.g., adding compromised accounts to Domain Admins).
- **Detection Methods:**
- Implement heightened monitoring for unusual outbound SSH traffic from the Triofox server.
- Use Mandiant’s published detection queries (if publicly available through advisories, check vendor/Mandiant sources).
- Monitor file activity in temporary directories indicative of payload execution.
## References
- Vendor advisories (Implied, contact Gladinet/Mandiant for full technical details)
- [Mandiant threat intelligence reports relating to UNC6485](defanged)
- Reported source: [gbhackers.com](defanged)