A recent attack by hackers has leveraged a critical vulnerability in Gladinet's Triofox antivirus feature to deploy remote access tools and exploit a zero-day vulnerability. This highlights the importance of regular software updates, monitoring system logs, and implementing robust threat intelligence capabilities to prevent such attacks.
Read more about this incident and learn how you can protect your organization from similar threats:
Hackers exploited a critical vulnerability in Gladinet's Triofox antivirus feature, allowing them to deploy remote access tools and exploit a zero-day vulnerability.
The vulnerability, CVE-2025-12480, allows attackers to bypass authentication and obtain access to the application's setup pages by spoofing the HTTP Host header.
The attack involved sending an HTTP GET request with the localhost in the HTTP Referer URL, granting access to the AdminDatabase.aspx configuration page.
Attackers used the setup workflow to create a new administrator account, upload a malicious script, and configure Triofox as the antivirus scanner location.
The attackers also deployed Zoho UEMS to deploy remote access tools and created an SSH tunnel using Plink and PuTTY for lateral movement operations.
GTIG recommends applying the latest security update, auditing admin accounts, and checking if the antivirus engine is set up to run unauthorized scripts or binaries.
Hackers have recently abused a critical vulnerability in Gladinet's Triofox antivirus feature to deploy remote access tools and exploit a zero-day vulnerability. According to Google Threat Intelligence Group (GTIG), the malicious activity was discovered on August 24, after a threat cluster tracked internally as UNC6485 targeted a Triofox server running version 16.4.10317.56372, released on April 3.
The security issue leveraged in the attack is CVE-2025-12480, which allows attackers to bypass authentication and obtain access to the application's setup pages. This vulnerability was discovered by GTIG researchers who determined that the root cause of the issue is an access control logic gap where admin access is granted when the application's request URL host equals 'localhost.' This allows attackers to spoof this value via the HTTP Host header and bypass all authentication checks.
Mandiant's investigation revealed that UNC6485 exploited the vulnerability by sending an HTTP GET request with the localhost in the HTTP Referer URL. The presence of the localhost host header in a request originating from an external source is highly irregular and typically not expected in legitimate traffic. This granted the attackers access to the AdminDatabase.aspx configuration page, which is launched to set up Triofox after installation.
Using the setup workflow, the attacker created a new administrator account named 'Cluster Admin,' and used it to upload a malicious script. Then they configured Triofox to use its path as the location for the antivirus scanner. The file configured as the anti-virus scanner location inherits the Triofox parent process account privileges, running under the context of the SYSTEM account, allowing the attacker to achieve code execution.
The attackers also downloaded and used the Plink and PuTTY tools to create an SSH tunnel and forward remote traffic to the host's RDP port (3389). They also deployed Zoho UEMS, which was used to deploy Zoho Assist and AnyDesk on the compromised host, allowing for remote access and lateral movement operations.
GTIG recommends that system administrators apply the latest security update present in version 16.10.10408.56683, released on October 14. Another recommendation is to audit admin accounts and check that Triofox's antivirus engine is not set up to run unauthorized scripts or binaries.
The researchers also provide a list of indicators of compromise (IoCs) to help defenders thwart these attacks. The details are also available on VirusTotal.
This attack highlights the importance of regularly updating software and applying security patches in a timely manner. It also emphasizes the need for system administrators to monitor their systems closely and take proactive steps to prevent such attacks.
In addition, this incident serves as a reminder that even seemingly secure applications can be vulnerable to exploitation. In this case, the vulnerability was present in the antivirus feature of Triofox, which is typically expected to provide an additional layer of security.
Furthermore, this attack demonstrates the importance of robust threat intelligence and incident response capabilities. GTIG's rapid detection and analysis of the threat allowed them to share their findings with the vendor and provide guidance on how to mitigate the issue.
In conclusion, hackers have successfully abused a critical vulnerability in Gladinet's Triofox antivirus feature to deploy remote access tools and exploit a zero-day vulnerability. This highlights the importance of regular software updates, monitoring system logs, and implementing robust threat intelligence capabilities to prevent such attacks.
