Full Report
Google's Mandiant Threat Defense on Monday said it discovered n-day exploitation of a now-patched security flaw in Gladinet's Triofox file-sharing and remote access platform. The critical vulnerability, tracked as CVE-2025-12480 (CVSS score: 9.1), allows an attacker to bypass authentication and access the configuration pages, resulting in the upload and execution of arbitrary payloads. The
Analysis Summary
# Vulnerability: Authentication Bypass and Arbitrary Payload Execution in Gladinet Triofox
## CVE Details
- CVE ID: CVE-2025-12480
- CVSS Score: 9.1 (Critical)
- CWE: (Not explicitly provided in source, but implies Authentication Bypass)
## Affected Systems
- Products: Gladinet Triofox file-sharing and remote access platform
- Versions: Prior to 16.7.10368.56560
- Configurations: Any configured system is potentially vulnerable if not yet patched.
## Vulnerability Description
This critical vulnerability allows an unauthenticated attacker to bypass authentication and gain access to the initial configuration pages of the Triofox platform. Once access is achieved, the attacker can execute the setup process to create a new native administrative account named "Cluster Admin." The attacker then utilizes a secondary technique involving the built-in antivirus feature: by configuring the antivirus scanner location to point to an arbitrary payload (like a malicious batch script), the script inherits the privileges of the Triofox parent process, running under the **SYSTEM account context**, leading to arbitrary code execution.
## Exploitation
- Status: Exploited in the wild (N-day exploitation observed by Mandiant's UNC6485 since at least August 24, 2025)
- Complexity: Medium (Requires multi-step exploitation leveraging both unauthorized admin creation and the antivirus execution path)
- Attack Vector: Network (Unauthenticated access)
## Impact
- Confidentiality: High (Implied by subsequent installation of RATs and lateral movement)
- Integrity: High (Ability to create admin accounts, elevate privileges, and execute arbitrary code as SYSTEM)
- Availability: High (Ability to deploy remote access tools and potentially disrupt service)
## Remediation
### Patches
- Official fix available in Gladinet Triofox version **16.7.10368.56560** and later.
### Workarounds
- Audit existing administrative accounts for newly created unauthorized accounts (e.g., "Cluster Admin").
- Verify that the Triofox antivirus engine is **not** configured to execute unauthorized or unknown scripts or binaries. (The patch specifically addresses access to configuration pages post-setup, but reviewing current configurations is crucial).
## Detection
- **Indicators of Compromise (IoCs):** Observation of creation of a new "Cluster Admin" account. Execution of batch scripts or system binaries originating from the Triofox process context or configuration paths. Network connections established by tools like Zoho Assist, AnyDesk, Plink, or PuTTY, especially those setting up encrypted tunnels over port 433 for RDP inbound traffic.
- **Detection Methods and Tools:** Monitor system process execution originating from the Triofox service. Monitor configuration changes related to the built-in antivirus scanner path. Use endpoint detection and response (EDR) tools to monitor for deployment of common remote access tools.
## References
- Mandiant Advisory: cloud[.]google[.]com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480/
- Gladinet Release History/Notes associated with version 16.7.10368.56560.