Full Report
Researchers uncovered active exploitation of an unauthenticated access vulnerability (CVE-2025-12480) in Gladinet’s Triofox remote access platform by the threat cluster UNC6485. The flaw, present in versions before 16.7.10368.56560, allowed attackers to bypass authentication u...
Analysis Summary
# Incident Report: Active Exploitation of Triofox RCE (CVE-2025-12480) by UNC6485
## Executive Summary
Threat cluster UNC6485 actively exploited an unauthenticated remote access vulnerability (CVE-2025-12480) in Gladinet’s Triofox platform to gain initial access. Attackers leveraged this flaw to bypass authentication, execute code with SYSTEM privileges, establish persistence, and deploy legitimate remote access tools like AnyDesk before performing lateral movement and setting up unauthorized SSH tunnels. The vulnerability has since been patched, and immediate upgrades are recommended.
## Incident Details
- Discovery Date: Prior to November 12, 2025 (Implied by "Active Exploitation")
- Incident Date: Began prior to November 12, 2025
- Affected Organization: Organizations using Gladinet Triofox versions before 16.7.10368.56560
- Sector: Unspecified (Likely any organization utilizing Triofox for remote access)
- Geography: Unspecified
## Timeline of Events
### Initial Access
- Date/Time: Prior to Nov 12, 2025
- Vector: Unauthenticated vulnerability exploitation (CVE-2025-12480) via a crafted HTTP request spoofing the `localhost` header.
- Details: Bypassed authentication to access configuration and setup pages. Attackers then used the Triofox anti-virus configuration feature to execute arbitrary scripts with **SYSTEM privileges**.
### Lateral Movement
- Date/Time: Post-Initial Access
- Vector: Exploitation of legitimate remote access tools and network tunneling.
- Details: Deployed Zoho UEMS (abusing Zoho Assist) and AnyDesk for remote administration. Used renamed PuTTY (`silcon.exe`) and Plink (`sihosts.exe`) utilities to establish an SSH reverse tunnel over port 433, enabling inbound RDP connections.
### Data Exfiltration/Impact
- Date/Time: Post-Lateral Movement
- Vector: Threat actor established deep persistence and reconnaissance.
- Details: The primary confirmed impacts include **Data exfiltration**. Escalation to SYSTEM level indicates high potential for further system compromise.
### Detection & Response
- Date/Time: Before November 12, 2025 (when researchers published findings)
- Vector: External research/intelligence findings detailed the active exploitation.
- Details: Mandiant confirmed the issue and recommended immediate upgrading to resolve the vulnerability.
## Attack Methodology
- Initial Access: **Vulnerability Exploitation (CVE-2025-12480)** via manipulated **Host header** spoofing `localhost`.
- Persistence: Established via **abused Zoho UEMS** installer leading to deployment of Zoho Assist and **AnyDesk**.
- Privilege Escalation: Achieved **SYSTEM privileges** by executing arbitrary scripts through the Triofox anti-virus configuration feature.
- Defense Evasion: Used renamed PuTTY/Plink executables for tunneling activities.
- Credential Access: Not explicitly detailed, but implied during reconnaissance stage.
- Discovery: Performed standard reconnaissance post-compromise.
- Lateral Movement: Achieved through established remote access tools and confirmed network tunneling (SSH reverse tunnel).
- Collection: Standard data gathering performed during reconnaissance.
- Exfiltration: **Data exfiltration** confirmed as the primary impact mechanism.
- Impact: Unauthorized data access and full remote control via SYSTEM privileges.
## Impact Assessment
- Financial: Not specified.
- Data Breach: **Data exfiltration** confirmed. Specific data type and volume unknown.
- Operational: Potential for complete operational disruption due to SYSTEM-level access and persistent remote connections.
- Reputational: Potential damage due to successful exploitation of a critical remote access platform.
## Indicators of Compromise
- Network Indicators (Defanged): Connection attempts or traffic originating from **84.200.80[.]252** downloading Zoho software. Traffic on **TCP port 433** related to reverse SSH tunneling.
- File Indicators: `silcon.exe` (renamed PuTTY), `sihosts.exe` (renamed Plink), Zoho UEMS installer files.
- Behavioral Indicators: Execution of arbitrary scripts via the Triofox AV configuration path; creation of new administrative accounts on Triofox; attempted inbound RDP connections facilitated by an outbound SSH tunnel.
## Response Actions
- Containment: Immediate patching of the vulnerability (Upgrading to version 16.7.10368.56560 or later).
- Eradication: Identifying and removing all established persistence mechanisms (AnyDesk, Zoho Assist, unauthorized SSH tunnels).
- Recovery: Restoring operations and validating system integrity, reviewing logs for all systems running Triofox prior to patching confirmation.
## Lessons Learned
- Unauthenticated vulnerabilities in critical remote access platforms pose an existential risk, allowing immediate SYSTEM-level compromise.
- Attackers rapidly pivot from initial vulnerability exploitation to deploying widely used legitimate tools (Living off the Land techniques) for persistence and operational continuity.
## Recommendations
- Immediately upgrade all instances of Gladinet Triofox to version **16.7.10368.56560 or later**.
- Implement network segmentation to restrict access to remote access platforms like Triofox from less trusted network zones.
- Enhance EDR/Monitoring to specifically flag execution of administrative tools (AnyDesk, Zoho tools) from unusual locations, especially when executed under SYSTEM context following an unauthenticated entry attempt.