Ethical Hacking News
Google’s Mandiant researchers exposed a critical Duofox bug exploitation via AV configuration, which continues unchecked despite patching. Security experts recommend upgrading to the latest release and auditing admin accounts due to potential malicious activity.
Triofox vulnerability (CVE-2025-12480) allows attackers to bypass authentication and install remote access tools via antivirus feature.Threat actors exploited the flaw since August 24, 2025, within a threat cluster tracked as UNC6485.The attacker used the newly created admin account to upload and run a malicious batch via Triofox's antivirus feature.The payload installed Zoho UEMS, which was abused for remote access, including deploying Zoho Assist and AnyDesk.Mandiant recommends upgrading to the latest release of Triofox, auditing admin accounts, and verifying antivirus settings.
Critical Duofox Vulnerability Exposed via AV Configuration, Malicious Payload Deployment Continues Unchecked
On November 11, 2025, Google's Mandiant researchers revealed that threat actors had exploited a critical flaw in Triofox, tracked as CVE-2025-12480 (CVSS score of 9.1), to bypass authentication and install remote access tools via the platform's antivirus feature. This vulnerability allows attackers to fake the Host header, bypass checks, and rely on easily misconfigured settings for protection.
The triofox bug was first identified by Mandiant researchers, who discovered that threat actors had been exploiting this flaw since August 24, 2025, within a threat cluster tracked as UNC6485. The attack involves creating a new admin account, "Cluster Admin," through the setup process using it for further malicious activity across compromised systems.
Mandiant also found suspicious HTTP requests showing an external source using a "localhost" host header, which suggested an exploit. Testing revealed that Triofox pages like AdminAccount.aspx and AdminDatabase.aspx should redirect to "Access Denied," but changing the Host header to "localhost" bypassed these controls, granting access to the admin setup process.
Analysis of the vulnerable CanRunCriticalPage() function in GladPageUILib.dll showed that it grants access if the Host equals "localhost." The flaw lets attackers fake the Host header to bypass checks, has no way to verify where requests really come from, and only relies on easily misconfigured settings for protection.
The attacker used the newly created admin account to upload and run a malicious batch via Triofox's antivirus feature by pointing the AV path to their script. Uploading any file to a published share triggered the script. The batch ran a PowerShell downloader that fetched a disguised payload from http://84.200.80[.]252 (saved as C:\Windows\appcompat\SAgentInstaller_16.7.10368.56560.exe) and launched it silently.
The payload installed Zoho UEMS, which was abused to deploy Zoho Assist and AnyDesk for remote access. Attackers enumerated SMB sessions and user accounts using Zoho Assist, then tried password changes and privilege escalation (adding accounts to local admins and Domain Admins).
For persistence and C2 tunneling, attackers downloaded plink-like tools (sihosts.exe, silcon.exe) into C:\Windows\Temp and established an SSH reverse tunnel over port 433 to 216.107.136[.]46, forwarding remote RDP (127.0.0.1:3389) to the attacker-controlled host.
Mandiant concluded that while this vulnerability is patched in the Triofox version 16.7.10368.56560, upgrading to the latest release is recommended. Additionally, Mandiant recommends auditing admin accounts and verifying that Triofox's Anti-virus Engine is not configured to execute unauthorized scripts or binaries.
Security teams should also hunt for attacker tools using Mandiant's hunting queries listed at the bottom of this post and monitor for anomalous outbound SSH traffic.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-Triofox-Bug-Exploitation-A-Detailed-Analysis-of-the-AV-Configuration-Vulnerability-ehn.shtml
https://securityaffairs.com/184439/hacking/critical-triofox-bug-exploited-to-run-malicious-payloads-via-av-configuration.html
https://nvd.nist.gov/vuln/detail/CVE-2025-12480
https://www.cvedetails.com/cve/CVE-2025-12480/
https://thehackernews.com/2025/11/hackers-exploiting-triofox-flaw-to.html
https://gbhackers.com/hackers-exploit-triofox-0-day/
Published: Tue Nov 11 02:30:03 2025 by llama3.2 3B Q4_K_M
