Mandiant: Triofox Zero-Day Exploited to Gain SYSTEM Access via Antivirus Feature
Mandiant researchers have uncovered active exploitation of a zero-day vulnerability in the Gladinet Triofox remote access and file-sharing platform. CVE-2025-12480 allowed attackers to bypass authorization and reach configuration pages of the web interface, through which they created administrative accounts and uploaded arbitrary malicious files. The flaw was patched in version 16.7.10368.56560, but not before at least one threat cluster had weaponized it.
The malicious activity was first observed on 24 August 2025 and has been attributed to the UNC6485 cluster. The intruders did not merely obtain administrative control: they chained that access to a vulnerable antivirus-check feature to execute arbitrary code as SYSTEM.
Detection began with an automated alert that flagged third-party utilities being written to system directories. Within 16 minutes Mandiant confirmed the compromise, isolated the host, and determined that Triofox authenticated requests improperly by relying on the Host header. If a request specified “localhost,” the server would automatically grant access to AdminDatabase.aspx — a local-only setup page intended for on-host maintenance.
Using that page, the attackers re-invoked the installation wizard and created a full system administrator account named “Cluster Admin.” That level of control allowed them to proceed to the next stage: uploading malicious scripts via the application’s antivirus-scan mechanism.
Architecturally, Triofox permits administrators to define an arbitrary path for the executable designated as the “antivirus engine.” The uploaded script is then invoked with the privileges of the parent process, effectively granting full system access. The adversaries exploited this to run a file named centre_report.bat, which used PowerShell to fetch the next stage: an installer disguised as a ZIP archive that deployed the Zoho UEMS installer. Once the legitimate UEMS agent was in place, they installed Zoho Assist and AnyDesk to persist on the compromised host.
From their foothold the operators executed reconnaissance and lateral-movement actions: enumerating SMB sessions, enumerating user accounts, attempting password changes, and adding accounts to local and domain administrator groups. For stealthy command-and-control, they uploaded legitimate PuTTY and Plink binaries (renamed silcon.exe and sihosts.exe) to the server and used them to establish an encrypted SSH tunnel to an external C2. That channel was used to forward RDP traffic over port 3389, enabling full remote control of the infected machine.
Root-cause analysis showed the core access check resides in the CanRunCriticalPage() routine inside GladPageUILib.dll. If the Host header contains “localhost,” the library ignores the configured trusted-IP checks and grants access to critical pages automatically. In short, the lack of source-validation combined with reliance on correct configuration produced an unauthenticated attack vector.
Mandiant recommends updating Triofox to the patched release, auditing all administrative accounts, and verifying that the configured antivirus engine path does not point at arbitrary third-party executables. Organizations should also review network logs for anomalous SSH activity and investigate any unusual RDP forwarding.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
