Google Threat Intelligence warns that attackers are actively exploiting CVE-2025-12480, a critical vulnerability in Gladinet Triofox that allows unauthenticated remote code execution (RCE) with SYSTEM privileges. Rated CVSS 9.1, the flaw stems from a logic error in access control: the application over‑trusts requests believed to originate from localhost, letting adversaries bypass authentication and reach administrative functionality.
How the localhost trust flaw enables unauthenticated RCE
Triofox designates certain requests as administrative if they appear to come from the local host. According to Google’s analysis, attackers can spoof HTTP headers (for example, Host or Referer) to impersonate a local source, thereby bypassing password checks. This is a classic business-logic weakness aligned with MITRE guidance on improper access control and reliance on untrusted inputs in security decisions.
The risk is magnified by default configurations. If the optional TrustedHostIp parameter is not set in web.config, the “localhost equals trusted” assumption becomes the primary gatekeeper. Installations running with defaults, or without strict header validation at a reverse proxy/WAF, are particularly exposed.
Active exploitation: UNC6485 targeting outdated Triofox builds
Gladinet shipped a fix for CVE-2025-12480 in version 16.7.10368.56560 (available since July 26). However, Google observed exploitation against unpatched instances. In August, a threat group tracked as UNC6485 targeted Triofox 16.4.10317.56372, leveraged the authentication bypass to obtain admin access, escalated privileges, and achieved full system compromise.
Post-exploitation tradecraft and tooling
After administrator takeover, the actors reportedly altered Triofox’s embedded antivirus configuration to launch their own script. Because the process inherits the Triofox service context, it executed as SYSTEM. The operators then used automation to extend control: PowerShell fetched the Zoho UEMS installer, followed by deployment of Zoho Assist and AnyDesk for remote access and lateral movement. For traffic tunneling and subsequent RDP activity, they used tools from the PuTTY/Plink family—an operational pattern consistent with common post-exploitation workflows seen across enterprise intrusions.
Patched versions and upgrade guidance
The vendor’s patch is included in 16.7.10368.56560, and the current stable build cited by researchers is 16.10.10408.56683 (released October 14). Google confirms the flaw is remediated. Most successful intrusions involve outdated versions with default or weak trust configurations.
Mitigation checklist: configuration, detection, and hardening
- Patch immediately: upgrade at least to 16.7.10368.56560, preferably to 16.10.10408.56683. Ensure all cluster nodes and auxiliary roles are updated.
- Constrain administrative access: set an allowlist via TrustedHostIp; avoid blind trust of “localhost”; restrict admin interfaces to internal segments/VPN.
- Enforce header integrity at the edge: on the WAF/reverse proxy, normalize and pin acceptable Host/Referer values; sanitize or remove untrusted X‑Forwarded‑* headers; block external access to admin endpoints.
- Strengthen authentication: enable MFA for administrators; eliminate default credentials; perform regular reviews of roles and privileges.
- Secure the embedded AV integration: confirm the scanner path points to a legitimate executable; block execution of scripts from nonstandard directories; apply application whitelisting and attack surface reduction rules.
- Monitor for abuse: alert on creation of new admin accounts, changes to AV configuration, PowerShell or script execution under the Triofox service, tunneling tools (e.g., plink.exe), and anomalous RDP activity. Use EDR to flag unusual parent-child process chains and service-context launches.
- Network segmentation and least privilege: limit exposure of RDP and remote admin tools; use a jump host; apply egress controls and ACLs.
- Incident readiness: validate your IR plan; maintain tested backups; document configuration baselines and change histories for rapid containment and recovery.
Why this flaw matters for defenders
The incident underscores a common anti-pattern: equating apparent locality with trust and making security decisions based on spoofable headers. As industry guidance from OWASP and MITRE emphasizes, authentication and authorization decisions must not rely on client-controlled metadata. Effective controls—secure defaults, zero-trust principles, strict header handling, and robust patch management—substantially reduce the blast radius of such logic bugs.
Organizations running Gladinet Triofox should accelerate patching to the latest supported version, verify admin accounts and embedded AV settings, and harden edge proxies against header spoofing. Closing these gaps quickly narrows the attackers’ window of opportunity and reduces the likelihood of SYSTEM-level compromise and downtime.
