Hackers Exploit Triofox 0-Day to Deploy Malicious Payloads Using Anti-Virus Feature CVE-2025-12480 (CVSS 9.8)

Estimated reading time: 7 minutes

Key takeaways:

  • A zero-day vulnerability, CVE-2025-12480 (CVSS 9.8), in Gladinet’s Triofox file-sharing platform is being actively exploited.
  • Attackers bypass authentication and execute malicious code with system-level privileges.
  • PurpleOps offers services to combat cyber threats, including a cyber threat intelligence platform, supply-chain risk monitoring, and brand leak alerting.

Table of Contents:

How the Attack Worked

The CVE-2025-12480 vulnerability was exploited by the threat actor group UNC6485 as early as August 24, 2025. This flaw affects Triofox version 16.4.10317.56372 and has been addressed in release 16.7.10368.56560. The exploitation chain involves a sophisticated two-step process: bypassing authentication controls and abusing the anti-virus feature.

First, attackers manipulate HTTP host headers to bypass authentication controls. By changing the host header value to “localhost” in their web requests, they gain unauthorized access to configuration pages that should be restricted. This vulnerability exists in the CanRunCriticalPage() function within Triofox’s codebase. The function incorrectly trusts the HTTP host header without validating the source of the requests, allowing remote attackers to spoof the connection source.

After gaining initial access, the attackers create a new administrator account named “Cluster Admin” through the compromised setup interface. They then log in and exploit a weakness in Triofox’s built-in anti-virus feature. The attackers configure the anti-virus scanner path to point to a malicious batch script instead of legitimate security software. When files are uploaded to shared folders, Triofox automatically executes the configured “anti-virus” scanner, which is actually the attacker’s payload, with SYSTEM account privileges.

This technique allows UNC6485 to deploy multiple tools, including Zoho remote access software, AnyDesk, and SSH tunneling utilities such as Plink and PuTTY. The threat actors use these tools to establish encrypted connections to their command-and-control servers, enumerate system information, and attempt privilege escalation by adding compromised accounts to the Domain Admins group.

Mandiant detected the intrusion within 16 minutes using Google Security Operations, identifying suspicious deployment of a remote access utility and unusual file activity in temporary directories. Security teams observed anomalous HTTP log entries showing external requests with localhost referrer headers, a clear indicator of the exploitation attempt. This highlights the importance of robust breach detection capabilities.

Practical Takeaways

For technical readers, immediate steps include:

  1. Upgrade Triofox: Upgrade to version 16.7.10368.56560 or later to patch the vulnerability.
  2. Audit Administrator Accounts: Review all administrator accounts for unauthorized entries.
  3. Verify Anti-Virus Engine Configurations: Ensure the anti-virus engine path points to legitimate security software.
  4. Hunt for Attacker Tools: Use Mandiant’s published detection queries to identify attacker tools.
  5. Monitor Outbound SSH Traffic: Monitor for unusual outbound SSH traffic, which can indicate ongoing compromises.

For non-technical readers:

  1. Ensure Software is Up-to-Date: Work with your IT department to ensure Triofox is updated to the latest version.
  2. Review User Accounts: Request a review of administrator accounts to ensure no unauthorized accounts exist.
  3. Check Security Configurations: Confirm with your IT team that the anti-virus settings are correctly configured.

How PurpleOps Can Help

PurpleOps offers a suite of services that can help organizations protect themselves against vulnerabilities like CVE-2025-12480 (CVSS 9.8) and similar cyber threats. Our services include:

  1. Cyber Threat Intelligence Platform: PurpleOps provides a comprehensive cyber threat intelligence platform that aggregates and analyzes threat data from various sources, including the dark web monitoring service and underground forum intelligence. This platform helps organizations stay informed about emerging threats and vulnerabilities, enabling proactive security measures. By leveraging a live ransomware API, PurpleOps can provide real-time updates on ransomware threats, allowing organizations to take immediate action.
  2. Supply-Chain Risk Monitoring: PurpleOps offers supply-chain risk monitoring to help organizations identify and mitigate risks associated with third-party vendors. This includes monitoring for vulnerabilities in software and hardware used by vendors, ensuring that your entire ecosystem is secure. Given that the Triofox vulnerability was exploited through a third-party application, this service is particularly relevant.
  3. Brand Leak Alerting: PurpleOps provides brand leak alerting to help organizations detect and respond to data breaches and leaks. This service monitors for sensitive information, such as credentials and proprietary data, on the dark web and other online sources. Early detection of leaked information can help prevent further damage and mitigate the impact of a breach.
  4. Telegram Threat Monitoring: Our telegram threat monitoring helps to identify threat actors and monitor their activities in real time by employing a sophisticated cyber threat intelligence platform.
  5. Red Team Operations: PurpleOps’ red team operations simulate real-world attacks to identify vulnerabilities in your organization’s defenses. This includes testing your systems, applications, and network infrastructure to uncover weaknesses that attackers could exploit. Red teaming can help you proactively identify and address vulnerabilities before they are exploited by malicious actors.
  6. : Our services provide a comprehensive assessment of your organization’s security posture. We use a variety of techniques to identify vulnerabilities and assess the effectiveness of your security controls. This includes network penetration testing, web application penetration testing, and wireless penetration testing.
  7. Dark Web Monitoring: The dark web monitoring service from PurpleOps proactively searches for compromised credentials, leaked data, and other sensitive information related to your organization. This helps to identify potential threats early and take action to prevent further damage.
  8. Underground Forum Intelligence: The underground forum intelligence service from PurpleOps monitors underground forums and marketplaces where cybercriminals discuss and share information about vulnerabilities, exploits, and attack techniques. This provides valuable insights into emerging threats and helps organizations stay ahead of the curve.

Actionable Advice

  1. Implement Real-Time Threat Intelligence: Use a cyber threat intelligence platform to stay informed about emerging threats and vulnerabilities. This will help you proactively identify and address potential risks to your organization.
  2. Monitor the Dark Web: Use a dark web monitoring service to search for compromised credentials, leaked data, and other sensitive information related to your organization.
  3. Conduct Regular Penetration Testing: Perform regular to identify vulnerabilities in your systems and applications.
  4. Secure Your Supply Chain: Implement a supply-chain risk monitoring program to assess and mitigate risks associated with third-party vendors.
  5. Establish Incident Response Plan: Develop and maintain an incident response plan that outlines the steps to take in the event of a security incident.

Organizations running Triofox should immediately upgrade to version 16.7.10368.56560 or later. Security teams should audit all administrator accounts for unauthorized entries, verify anti-virus engine configurations, and hunt for attacker tools using published detection queries. Monitoring for unusual outbound SSH traffic can help identify ongoing compromises. PurpleOps stands ready to assist in these endeavors.

To learn more about how PurpleOps can help you protect your organization from cyber threats, visit https://www.purple-ops.io/platform/ or contact us for more information: PurpleOps Solutions. Explore our additional services, such as Red Team Operations, , Supply Chain Information Security, Protect from Ransomware, Dark Web Monitoring, and Cyber Threat Intelligence.

FAQ

Q: What is CVE-2025-12480?

A: CVE-2025-12480 is a zero-day vulnerability in Gladinet’s Triofox file-sharing platform that allows attackers to bypass authentication and execute malicious code.

Q: Which versions of Triofox are affected?

A: Triofox version 16.4.10317.56372 is affected. The vulnerability has been addressed in release 16.7.10368.56560.

Q: How can PurpleOps help protect against this vulnerability?

A: PurpleOps offers a suite of services, including a cyber threat intelligence platform, supply-chain risk monitoring, and brand leak alerting, to help organizations stay informed and mitigate cyber threats.