Google Mandiant has revealed active exploitation of CVE-2025-12480, a critical unauthenticated access vulnerability in Gladinet’s Triofox file-sharing platform. Rated an estimated CVSS score of 9.8, this flaw allows attackers to bypass authentication and gain administrative control, posing severe risks to enterprise environments.
What Happened?
The threat group UNC6485 has been exploiting this vulnerability since August 2025, targeting Triofox versions 16.4.10317.56372 and earlier. The vulnerability arises from improper access control validation, enabling attackers to manipulate HTTP Host headers and access sensitive configuration pages without authentication.
How the Exploit Works
Attackers leverage an HTTP Host Header Injection technique by setting the Host header to “localhost.” This bypasses authentication checks and grants access to the critical AdminDatabase.aspx page, which is normally restricted to initial setup.
Once inside, attackers:
- Create new administrative accounts.
- Escalate privileges within the application.
- Exploit misconfigured anti-virus features to execute arbitrary code under SYSTEM privileges.
Why This Is Dangerous
The exploitation chain becomes particularly severe when combined with Triofox’s anti-virus misconfiguration. Attackers can:
- Upload malicious batch scripts to shared folders.
- Configure these scripts as the anti-virus engine path.
- Trigger automatic execution with SYSTEM-level privileges, granting full control over the compromised system.
Observed Post-Exploitation Activities
Mandiant reports attackers deploying:
- Zoho Unified Endpoint Management agents for device control.
- AnyDesk remote access tools for persistence.
- Plink utilities renamed to establish encrypted SSH reverse tunnels, enabling stealthy RDP forwarding and evading network-based detection.
This infrastructure allowed attackers to maintain persistent access and move laterally across enterprise networks.
Vendor Response
Gladinet has released patched version 16.7.10368.56560 to address the vulnerability. Organizations must:
- Upgrade immediately to the latest version.
- Audit all administrative accounts for unauthorized changes.
- Validate anti-virus engine paths to ensure only trusted binaries execute.
- Monitor for suspicious outbound SSH tunnels and anomalous remote access activity.
Security Best Practices
- Enable strict access control policies and validate HTTP headers.
- Implement network segmentation to limit lateral movement.
- Deploy EDR solutions to detect abnormal remote access tool installations.
- Regularly review system configurations for misconfigurations that attackers can exploit.
Why It Matters
This incident underscores the growing risk of host header injection attacks and configuration weaknesses in enterprise file-sharing platforms. Combined with privilege escalation techniques, attackers can achieve complete system takeover, leading to data breaches, ransomware deployment, and operational disruption.
Bottom Line: Apply the latest patch, enforce strict configuration checks, and enhance monitoring to prevent exploitation.
