Hackers abuse Triofox antivirus function to deploy distant entry instruments

Hackers exploited a essential vulnerability and the built-in antivirus function in Gladinet’s Triofox file-sharing and remote-access platform to realize distant code execution with SYSTEM privileges.

The security challenge leveraged within the assault is CVE-2025-12480 and can be utilized to bypass authentication and procure entry to the appliance’s setup pages.

Safety researchers at Google Risk Intelligence Group (GTIG) found the malicious exercise on August 24, after a menace cluster tracked internally as UNC6485 focused a Triofox server working model 16.4.10317.56372, launched on April 3.

The basis trigger for CVE-2025-12480 is an entry management logic hole the place admin entry is granted when the appliance’s request URL host equals ‘localhost.’

This permits attackers to spoof this worth through the HTTP Host header and bypass all authentication checks.

Mandiant explains that, if the non-obligatory TrustedHostIp parameter will not be configured in net.config, the ‘localhost’ verify turns into the only gatekeeper, leaving default installations uncovered to unauthenticated entry.

A repair for CVE-2025-12480 grew to become out there in Triofox model 16.7.10368.56560, launched on July 26, and GTIG researchers confirmed with the seller that the flaw was addressed.

Abusing the antivirus function

Mandiant’s investigation decided that UNC6485 exploited the vulnerability by sending an HTTP GET request with the localhost within the HTTP Referer URL.

“The presence of the localhost host header in a request originating from an exterior supply is extremely irregular and usually not anticipated in respectable site visitors,” the researchers clarify.

This granted them entry to the AdminDatabase.aspx configuration web page, which is launched to arrange Triofox after set up.

Utilizing the setup workflow, the attacker created a brand new administrator account named ‘Cluster Admin,’ and used it to add a malicious script. Then they configured Triofox to make use of its path as the placement for the antivirus scanner.

GTIG explains that “the file configured because the anti-virus scanner location inherits the Triofox mum or dad course of account privileges, working underneath the context of the SYSTEM account,” permitting the attacker to realize code execution.

The researchers say that the malicious batch executed a PowerShell downloader to fetch one other payload, a Zoho UEMS installer, from an exterior tackle.

Zoho UEMS was used to deploy Zoho Help and AnyDesk on the compromised host, which have been used for distant entry and lateral motion operations. 

The attackers additionally downloaded and used the Plink and PuTTY instruments to create an SSH tunnel and ahead distant site visitors to the host’s RDP port (3389).

Though Mandiant validated that the exploited vulnerability (CVE-2025-12480) was addressed in Triofox 16.7.10368.56560, they suggest that system directors to use the most recent security replace current in model 16.10.10408.56683, launched on October 14.

One other suggestion is to audit admin accounts, and verify that Triofox’s antivirus engine will not be set as much as run unauthorized scripts or binaries.

GTIG’s report supplies an inventory of indicators of compromise (IoCs) to assist defenders thwart these assaults. The main points are additionally out there on VirusTotal.

Final month, Huntress reported that hackers have been exploiting a zero-day native file inclusion vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox merchandise to entry system recordsdata with out authentication.

The flaw, which was leveraged for at the least three profitable intrusions into firm networks, was mounted every week later, in model 16.10.10408.56683 (newest).