Google’s Mandiant Threat Defense has identified active exploitation of a critical security vulnerability, CVE-2025-12480, within Gladinet’s Triofox file-sharing and remote access platform. The flaw, which carries a CVSS score of 9.1, allows unauthenticated attackers to bypass security controls, access configuration pages, and subsequently upload and execute malicious code. This marks the third significant Triofox vulnerability to be actively exploited in 2025, highlighting ongoing concerns for users of the platform.
The exploitation was detected by Mandiant’s threat intelligence team, tracked as UNC6485, which began leveraging the flaw on August 24, 2025. This activity occurred nearly a month after Gladinet released patches for the vulnerability in version 16.7.10368.56560. Previously, other vulnerabilities, CVE-2025-30406 and CVE-2025-11371, also saw widespread exploitation.
Mandiant Uncovers Triofox Vulnerability Exploitation
The critical vulnerability, identified as CVE-2025-12480, enables attackers to gain unauthorized access to Triofox’s administrative configuration pages. According to Mandiant’s analysis, threat actors exploited this unauthenticated access to initiate the Triofox setup process, effectively creating a new administrative account named “Cluster Admin.” This newly established administrative privilege was then leveraged to facilitate subsequent malicious activities on affected systems.
Once control was established through the newly created administrative account, attackers moved to achieve code execution. Security researchers from Mandiant detailed that the threat actors utilized Triofox’s built-in antivirus feature to execute arbitrary payloads. This was achieved by configuring the antivirus scanner to point to a malicious batch script, specifically “centre_report.bat,” which was uploaded to the server.
The “centre_report.bat” script was designed to download and install remote access tooling, including Zoho Unified Endpoint Management System (UEMS), Zoho Assist, and AnyDesk. The script downloaded these components from an external IP address, 84.200.80[.]252. The antivirus feature, when configured, runs with SYSTEM account privileges, allowing the script to execute with elevated permissions on the host system.
Follow-on Activity and Evasion Techniques
With Zoho Assist established, the attackers could conduct reconnaissance on the compromised systems. Following this initial information gathering, attempts were made to escalate privileges. This involved modifying existing user account passwords and adding these compromised accounts to both local administrator groups and the highly privileged “Domain Admins” group on affected networks.
To further evade detection and maintain persistent access, the threat actors employed techniques to establish encrypted communication channels. They utilized tools such as Plink and PuTTY to create an encrypted tunnel to a command-and-control (C2) server. This tunnel was established over port 433 using SSH, with the ultimate objective of enabling inbound Remote Desktop Protocol (RDP) traffic, facilitating further remote access.
While the specific ultimate objective of this campaign remains undetermined, the observed tactics indicate a focus on gaining deep access and control over compromised environments. The ability to bypass initial authentication, create administrative accounts, execute arbitrary code, and establish covert C2 channels presents a significant risk to organizations using vulnerable versions of Gladinet’s Triofox platform.
Organizations utilizing Triofox are strongly advised to update to the latest patched version immediately to mitigate exposure to CVE-2025-12480 and related threats. Additionally, a thorough audit of all administrative accounts is recommended to identify any unauthorized or suspicious entries. Verifying the configuration of the Triofox antivirus engine to ensure it is not set to execute unauthorized scripts or binaries is also a critical step in preventing further exploitation of this vulnerability.