Google’s Mandiant Threat Defense announced Monday that it has discovered an n-day exploit of a now-patched security flaw in Gladinet’s Triofox file sharing and remote access platform.
Tracked as a critical vulnerability CVE-2025-12480 (CVSS Score: 9.1) Allows an attacker to bypass authentication and access the configuration page, which may allow arbitrary payloads to be uploaded and executed.
The technology giant said it observed a threat cluster tracked as UNC6485 weaponizing the flaw as far back as August 24, 2025, nearly a month after Gladinet released a patch for the flaw in version 16.7.10368.56560. It is worth noting that CVE-2025-12480 is the third flaw in Triofox to be actively exploited this year alone, after CVE-2025-30406 and CVE-2025-11371.
According to the software’s release notes, “Initialization page protection added.” “After setting up Triofox, you will no longer be able to access these pages.”
Mandiant said the attacker used an unauthenticated access vulnerability to access the configuration page and run the setup process to create a new native administrator account, Cluster Admin. The newly created account was then used to conduct subsequent activities.
“To execute the code, the attacker logged in using a newly created administrator account. The attacker uploaded a malicious file and used built-in antivirus functionality to execute the file,” said security researchers Stallone D’Souza, Pravees DSouza, Bill Glynn, Kevin O’Flynn, and Yash Gupta.
“To configure antivirus functionality, users can specify any path for the antivirus of their choice. The file configured as the antivirus scanner location inherits the permissions of Triofox’s parent process account and runs in the context of the SYSTEM account.”
According to Mandiant, the attacker executed a malicious batch script (‘centre_report.bat’) by setting the antivirus engine’s path to point to the script. This script is designed to download the Zoho Unified Endpoint Management System (UEMS) installer from 84.200.80(.)252 and use it to deploy remote access programs like Zoho Assist and AnyDesk to the host.
The remote access provided by Zoho Assist was utilized to conduct reconnaissance and subsequently change the passwords of existing accounts and attempt to add them to the local administrator and ‘Domain Admins’ groups for privilege escalation.
As a way to evade detection, the attackers downloaded tools such as Plink and PuTTY and set up an encrypted tunnel over port 433 over SSH to a command and control (C2) server, with the ultimate goal of allowing incoming RDP traffic.
Although the ultimate purpose of the campaign is still unknown, Triofox users are encouraged to update to the latest version, audit their administrator accounts, and ensure that Triofox’s antivirus engine is not configured to run unauthorized scripts or binaries.
