Critical Triofox authentication bypass flaw actively exploited

Google's Mandiant is reporting active exploitation of a critical security vulnerability in Gladinet's Triofox file-sharing and remote access platform. It allowed attackers to bypass authentication mechanisms, gain unauthorized access to application configuration pages and upload and execute arbitrary payloads with SYSTEM-level privileges.

The vulnerability is tracked as CVE-2025-12480 (CVSS score 9.1), is a flaw in Triofox's access control implementation, within the CanRunCriticalPage() function located in the GladPageUILib.GladBasePage class. The investigation revealed that Triofox's access control mechanism relies on checking whether the Host header equals "localhost" to grant access to sensitive configuration pages, including AdminDatabase.aspx and AdminAccount.aspx.

Mandiant identified that a threat cluster designated as UNC6485 by Google Threat Intelligence Group (GTIG) has been actively exploiting this vulnerability since at least August 24, 2025.  After gaining initial access through the authentication bypass, attackers used the newly created administrative account to abuse Triofox's built-in antivirus integration feature. This feature allows administrators to specify an arbitrary file path for antivirus scanning executables. Any file configured as the antivirus scanner inherits the privileges of the Triofox parent process, which runs under the SYSTEM account context.

The attackers configured the antivirus engine path to point to a malicious batch script named "centre_report.bat," which executed a PowerShell command to download a second-stage payload disguised as a ZIP file from IP 84.200.80[.]252. The downloaded file was actually an executable installer for Zoho Unified Endpoint Management System (UEMS). Attackers leveraged this remote management tool to deploy install remote access utilities including Zoho Assist and AnyDesk on compromised systems.

The vulnerability impacts Gladinet Triofox version 16.4.10317.56372 and all earlier versions. 

Gladinet patched this critical security flaw in release 16.7.10368.56560, 

Organizations using Triofox should immediately upgrade to the latest release and conduct audits of all administrative accounts, focusing on any accounts named "Cluster Admin" or other accounts created outside normal provisioning processes. Organizations should verify that Triofox's antivirus engine configuration has not been modified to point to unauthorized scripts or binaries, as this represents a critical persistence mechanism.

Indicators of compromise are:

• C:\Windows\appcompat\SAgentInstaller_16.7.10368.56560.exe - Zoho UEMS Agent installer (SHA-256: 43c455274d41e58132be7f66139566a941190ceba46082eb2ad7a6a261bfd63f)
• C:\Windows\temp\sihosts.exe - Renamed Plink utility (SHA-256: 50479953865b30775056441b10fdcb984126ba4f98af4f64756902a807b453e7)
• C:\Windows\temp\silcon.exe - Renamed PuTTY client (SHA-256: 16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc77b25a90837f28ad)
• C:\Windows\temp\file.exe - AnyDesk remote access tool (SHA-256: ac7f226bdf1c6750afa6a03da2b483eee2ef02cd9c2d6af71ea7c6a9a4eace2f)
• C:\triofox\centre_report.bat - Attacker-deployed malicious batch script

The IP address 85.239.63[.]37 (ASN AS62240 - Clouvider Limited) was used during initial exploitation activities to create the administrative account and gain unauthorized access to the Triofox instance. After a period of dormancy, the threat actor resumed activities using IP address 65.109.204[.]197 (ASN AS24950 - Hetzner Online GmbH) to authenticate to the compromised Triofox instance and conduct subsequent malicious operations. 

The address 84.200.80[.]252 (ASN AS214036 - Ultahost, Inc.) hosted the Zoho UEMS Agent installer payload, while 216.107.136[.]46 (ASN AS396356 - LATITUDE-SH) served as the Plink command-and-control server for the encrypted reverse tunnel infrastructure.