Following the disclosure of CVE-2024-1086, a Linux kernel privilege escalation flaw actively exploited in ransomware campaigns, another critical vulnerability has emerged, allowing attackers to bypass authentication and conduct further malicious operations.
In 2025, Gladinet came under the crosshairs of threat actors, flagged for critical vulnerabilities in its products actively exploited in the wild. A zero-day in Gladinet CentreStack and Triofox (CVE-2025-30406) allowed remote code execution via flawed cryptographic key management. Later, CVE-2025-11371 was observed on patched instances, letting attackers retrieve machine keys from Web.config and forge ViewState payloads that bypass integrity checks, triggering unsafe server-side deserialization and remote code execution via the earlier flaw.
Most recently, Google’s Mandiant researchers spotted a third critical Triofox vulnerability (CVE-2025-12480), which lets attackers bypass authentication to create admin accounts and deploy remote access tools using the platform’s antivirus feature.
Detect CVE-2025-12480 Exploitation Attempts
Cybercriminals are increasingly exploiting vulnerabilities as a primary gateway into systems. ENISA’s Threat Landscape 2025 report shows that exploitation accounted for over one-fifth (21.3%) of initial access vectors, with 68% of these incidents followed by malware deployment. Combined with over 42,000 new vulnerabilities recorded by NIST this year, the trends illustrate a relentless pressure on cybersecurity teams. Every unpatched system is a potential entry point, making early detection essential to prevent large-scale compromise.
The recently identified CVE-2025-12480 vulnerability in Gladinet’s Triofox highlights this growing threat, underscoring the importance of proactive defenses to stay ahead of modern attacks.
Register now for the SOC Prime Platform to access an extensive collection of curated detection content and AI-native threat intelligence, helping your team outscale offensive campaigns exploiting CVE-2025-12480. Press the Explore Detections button below to dive directly into a relevant detection stack.
Also, you can use the “UNC6485” tag to search for more content addressing adversary TTPs related to the threat cluster activity behind these attacks. For a broader range of SOC content for vulnerability exploit detection, security engineers can also apply the “CVE” tag.
All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context.
Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms. For instance, cyber defenders can generate the Attack Flow diagram based on Google Mandiant’s latest research in seconds.
CVE-2025-12480 Analysis
On November 10, 2025, Google’s Mandiant Threat Defense published an in-depth analysis of CVE-2025-12480 (CVSS score 9.1), a zero-day vulnerability in Gladinet’s Triofox file-sharing and remote access platform. The vulnerability was actively weaponized by the hacking group tracked as UNC6485 as far back as August 24, 2025, allowing attackers to bypass authentication and execute malicious code with system-level privileges.
Mandiant researchers reported that UNC6485 exploited the CVE-2025-12480 vulnerability in Triofox to reach protected configuration pages. Using these pages, attackers created a native admin account named Cluster Admin through the setup process. This new account was then leveraged to upload and execute malicious files via the platform’s antivirus feature.
The antivirus feature allows users to specify an arbitrary path for the selected antivirus. Since this configured process runs under the SYSTEM account, attackers could execute arbitrary scripts with full system privileges. In this case, adversaries used the batch script centre_report.bat, which downloaded a Zoho Unified Endpoint Management System (UEMS) installer from 84.200.80[.]252 and deployed remote access tools like Zoho Assist and AnyDesk.
The attack began with a clever manipulation of HTTP host headers. By changing the host header to “localhost“, attackers abused the CanRunCriticalPage() function, which improperly trusted the HTTP host without verifying the request origin. This allowed remote access to pages that should have been restricted and spoofing the attackers’ source IP address. Once access was gained, attackers used the Cluster Admin account to execute malicious scripts via the antivirus configuration path.
To evade detection, UNC6485 downloaded tools such as Plink and PuTTY to establish an encrypted SSH tunnel to a command-and-control (C2) server over port 433, ultimately enabling inbound RDP traffic for persistent remote access.
The vulnerability affected Triofox v16.4.10317.56372 and has been fixed in v16.7.10368.56560. Users are strongly urged to upgrade to the patched version immediately. Mitigation steps for CVE-2025-12480 also include auditing all administrator accounts for unauthorized entries, reviewing and verifying antivirus configurations, and monitoring for unusual outbound SSH traffic to detect any ongoing compromises. Also, to stay ahead of attackers and proactively detect potential vulnerability exploitation attempts, security teams can rely on SOC Prime’s complete product suite backed by AI, automation capabilities, and real-time threat intel, while strengthening the organization’s defenses at scale.
The post CVE-2025-12480 Detection: Hackers Exploit the Now-Patched Unauthenticated Access Control Vulnerability in Gladinet’s Triofox appeared first on SOC Prime.
