Active Exploitation of Triofox Improper Access Control Vulnerability (CVE-2025-12480)
A critical improper access control vulnerability in Triofox (CVE-2025-12480, CVSS 9.1) allows attackers to access initial setup pages even after the software has been configured. This flaw, present in versions prior to 16.7.10368.56560, enables unauthenticated users to bypass authentication and access sensitive configuration interfaces. The vulnerability was disclosed and patched by Gladinet, with the update specifically restricting access to these setup pages post-installation.
Despite the availability of a patch, threat actors tracked as UNC6485 have been observed actively exploiting this vulnerability since at least August 2025. Attackers leverage the flaw to create new administrative accounts by rerunning the setup process, then use these accounts to upload and execute arbitrary payloads. Notably, the exploitation chain abuses the built-in antivirus feature, allowing attackers to specify a malicious script as the antivirus engine path, which then executes with SYSTEM privileges. This incident marks the third actively exploited Triofox vulnerability in 2025, highlighting ongoing targeting of the platform by sophisticated threat actors.
Timeline
Nov 12, 2025
CISA adds CVE-2025-12480 to the Known Exploited Vulnerabilities catalog
CISA added CVE-2025-12480 to its KEV catalog, formally recognizing that the Triofox flaw was being exploited in the wild. The listing elevated urgency for defenders to patch and investigate potential compromise.
Nov 11, 2025
Mandiant publicly reports active exploitation and attributes activity to UNC6485
On November 11, 2025 reporting, Mandiant disclosed technical details of CVE-2025-12480 exploitation, including the Host header bypass, admin account creation, and abuse of the antivirus feature for code execution. The company attributed the activity to UNC6485 and recommended upgrading, auditing admin accounts, and monitoring for suspicious outbound SSH traffic.
Oct 14, 2025
Gladinet releases Triofox and CentreStack v16.10.10408.56683
Help Net Security reports Gladinet released CentreStack and Triofox version 16.10.10408.56683, which also fixed CVE-2025-12480 and CVE-2025-11371. This later release provided an updated patched version for affected customers.
Aug 24, 2025
Intrusions deploy remote access and tunneling tools on compromised Triofox hosts
Post-compromise activity included deployment of Zoho UEMS, Zoho Assist, and AnyDesk, along with internal enumeration, attempted privilege escalation, and plink-like tunneling utilities. These actions established persistence and enabled further movement within victim environments.
Aug 24, 2025
Attackers abuse Triofox antivirus feature to gain SYSTEM-level execution
After obtaining admin access, attackers configured Triofox's built-in antivirus engine path to run attacker-supplied scripts or payloads with SYSTEM privileges when files were uploaded. This turned the initial authentication bypass into remote code execution on affected servers.
Aug 24, 2025
UNC6485 begins exploiting Triofox CVE-2025-12480 in the wild
Mandiant observed threat cluster UNC6485 actively exploiting CVE-2025-12480 as early as August 24, 2025. Attackers bypassed Host header validation to access setup pages, create unauthorized admin accounts, and compromise exposed Triofox systems.
Jul 26, 2025
Gladinet releases Triofox version 16.7.10368.56560 with a fix for CVE-2025-12480
Gladinet released Triofox version 16.7.10368.56560, which multiple sources identify as containing a fix for CVE-2025-12480. The flaw allowed improper access control via Host header manipulation that could lead to admin takeover and code execution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Sources
3 more from sources like security online info, cvefeed high severity and the hacker news
Related Stories
Active Exploitation of Unpatched LFI Vulnerability in Gladinet CentreStack and TrioFox (CVE-2025-11371)
Attackers are actively exploiting a zero-day vulnerability, CVE-2025-11371, in Gladinet CentreStack and TrioFox file-sharing and remote access platforms. This vulnerability is an unauthenticated local file inclusion (LFI) flaw that allows threat actors to access sensitive system files, including the application’s Web.config file. By retrieving the machine key from this configuration file, attackers can leverage a previously patched vulnerability, CVE-2025-30406, to achieve remote code execution (RCE) through ViewState deserialization attacks. Huntress, a cybersecurity firm, first detected exploitation of this flaw on September 26-27, 2025, and has confirmed that at least three customers have been impacted so far. The vulnerability affects all versions of CentreStack and TrioFox up to and including 16.7.10368.56560, and there is currently no official patch available from Gladinet. Both self-hosted and cloud-hosted deployments of these platforms are at risk, as the flaw impacts default installations and configurations. The exploitation chain involves using the LFI to extract the machine key, which is then used to craft malicious ViewState payloads that bypass integrity checks and enable arbitrary code execution on the server. Notably, Huntress observed successful exploitation even on systems that had already patched CVE-2025-30406, indicating that the previous fix was insufficient to fully mitigate the risk. In response, Huntress and other security experts recommend disabling the "temp" handler within the UploadDownloadProxy Web.config file as an immediate mitigation, though this may impact some platform functionality. Gladinet has acknowledged the vulnerability and its active exploitation but has not yet released a patch, urging customers to implement the recommended mitigations. The affected products are widely used by managed service providers, small businesses, and enterprises for secure file access and sharing, increasing the potential impact of this vulnerability. Attackers exploiting this flaw can gain full control over affected servers, leading to data theft, lateral movement, or further compromise of organizational networks. Security researchers are withholding some technical details to prevent further exploitation while a patch is developed. Organizations using CentreStack or TrioFox should urgently review their configurations and apply the recommended mitigations to reduce exposure. The incident highlights the risks associated with chained vulnerabilities and the importance of defense-in-depth strategies. Ongoing monitoring and threat detection are advised until a permanent fix is available. The situation remains fluid, with active exploitation continuing and the vendor working on a security update.
1 months ago
Active Exploitation of Gladinet CentreStack and Triofox Cryptographic Flaw Enables Remote Code Execution
Attackers are actively exploiting a critical cryptographic vulnerability in Gladinet's CentreStack and Triofox products, which are used for secure remote file access and sharing. The flaw stems from the use of hard-coded cryptographic keys within the `GladCtrl64.dll` component, allowing threat actors to decrypt or forge access tickets and gain unauthorized access to sensitive files, including `web.config`. This access can be leveraged to obtain machine keys and achieve remote code execution via ViewState deserialization. Security researchers from Huntress have observed at least nine organizations targeted by these attacks, with exploitation occurring in the wild and Gladinet issuing advisories and updates to mitigate the risk. The vulnerability is rooted in a custom implementation of the AES algorithm, where static 100-byte strings are used to derive encryption keys and initialization vectors, making them identical across all installations. Attackers can craft malicious requests to the `/storage/filesvr.dn` endpoint, bypassing authentication and impersonating users. Gladinet has provided indicators of compromise (IoCs) and urged customers to update to the latest versions released on November 29. The attacks highlight the risks of insecure cryptographic practices and the importance of timely patching in enterprise environments.
1 months ago
Clop Ransomware Data Extortion Attacks on Gladinet CentreStack and Triofox Servers
The Clop ransomware group has initiated a widespread data extortion campaign targeting Internet-exposed Gladinet CentreStack and Triofox file servers. Attackers are exploiting multiple vulnerabilities, including CVE-2025-11371 (an unauthenticated local file inclusion flaw), CVE-2025-14611 (hardcoded cryptographic keys), and CVE-2025-12480 (a critical remote code execution vulnerability in Triofox). These vulnerabilities allow unauthorized access, file retrieval, and even remote code execution, enabling Clop to steal sensitive corporate data and leave ransom notes on compromised systems. Security researchers and incident responders have observed active exploitation across at least 200 unique IP addresses, with evidence that both zero-day and unpatched n-day vulnerabilities are being leveraged. Gladinet CentreStack and Triofox are widely used by businesses for secure file storage and sharing, making the impact of these attacks potentially significant. The Clop group’s campaign follows their established pattern of targeting file transfer and sharing solutions, having previously compromised platforms such as MOVEit, GoAnywhere, and Oracle EBS. Security updates have been released by Gladinet to address some of the exploited flaws, but the ongoing attacks highlight the importance of timely patching and monitoring of Internet-facing file sharing infrastructure. Technical analysis by VulnCheck and Mandiant has provided detailed insights into the exploitation methods, emphasizing the complexity and sophistication of the attack chain.
1 months ago