UNC6485 Exploits Critical Triofox Zero-Day (CVE-2025-12480) for Full System Compromise

Executive Summary

A critical zero-day vulnerability, CVE-2025-12480, in Gladinet's Triofox file-sharing platform is under active exploitation by a threat cluster identified by Mandiant as UNC6485. The flaw, rated 9.1 (Critical), allows unauthenticated attackers to bypass authentication and achieve remote code execution (RCE) with SYSTEM-level privileges. The attackers were observed exploiting this vulnerability as early as August 2025. The attack involves spoofing the HTTP Host header to gain administrative access and then abusing a legitimate antivirus integration to execute malicious scripts. This marks the third major vulnerability in Gladinet products exploited in 2025, highlighting a significant risk for organizations using this platform. A patch is available and must be applied urgently.

Threat Overview

The vulnerability, CVE-2025-12480, is an improper access control issue in Triofox versions prior to 16.7.10368.56560. It allows an unauthenticated, remote attacker to gain complete control of an affected system. The threat actor UNC6485 has been leveraging this flaw since at least August 24, 2025, demonstrating a sophisticated understanding of the application's architecture. The attack vector is particularly insidious as it abuses legitimate system functionalities, making detection challenging for security tools that are not specifically looking for this attack pattern.

The attack chain begins with the attacker sending a specially crafted HTTP request with the Host header set to localhost. This tricks the Triofox application into granting access to the initial setup page, which is normally only accessible during installation. From there, the attacker creates a new native administrator account, effectively gaining full control over the platform's configuration.

Technical Analysis

The attack proceeds in several distinct stages, as detailed by Google's Threat Intelligence Group:

1. Initial Access & Authentication Bypass (T1190 - Exploit Public-Facing Application): The attacker sends an HTTP request to the Triofox server from an external IP address but modifies the Host header to localhost. The application incorrectly processes this request as originating locally, granting access to the setup wizard.

2. Privilege Escalation & Persistence (T1078.001 - Valid Accounts: Default/Initial Accounts): Using the access granted in the previous step, the attacker creates a new administrator account, which they named Cluster Admin in observed incidents. This provides them with persistent, high-privilege access to the Triofox web interface.

3. Execution (T1106 - Native API): The core of the RCE technique involves abusing the integrated antivirus scanner feature. The attacker navigates to the antivirus configuration page and modifies the path of the scanner engine to point to a malicious batch script they previously uploaded. When a file is uploaded to the platform, the Triofox server executes this malicious script with NT AUTHORITY\SYSTEM privileges.

4. Defense Evasion & Command and Control: Following the successful RCE, UNC6485 deploys commercial remote access tools like Zoho UEMS and AnyDesk (T1219 - Remote Access Software). They also establish reverse SSH tunnels using Plink and PuTTY (T1572 - Protocol Tunneling) to maintain persistent access and exfiltrate data.

Impact Assessment

The successful exploitation of CVE-2025-12480 results in a full system compromise. An attacker can execute arbitrary code with the highest possible privileges, allowing them to:

• Exfiltrate all data stored on or accessible by the Triofox server.
• Deploy additional malware, such as ransomware or spyware.
• Use the compromised server as a pivot point to attack other systems within the internal network.
• Disrupt file-sharing services, impacting business operations.

Given that Triofox is a central file access and sharing solution, the business impact is severe. The breach could lead to significant data loss, regulatory fines, and reputational damage. The use of legitimate remote access tools for post-exploitation makes detection of ongoing activity difficult without proper baselining and monitoring.

Cyber Observables for Detection

Security teams should proactively hunt for the following indicators:

Detection & Response

Detection Strategies:

• Log Analysis: Implement SIEM rules to alert on HTTP requests from external source IPs where the Host header is localhost or 127.0.0.1. Correlate this with subsequent administrative activity.
• File Integrity Monitoring (FIM): Monitor the Triofox configuration files for any changes, particularly those related to the antivirus engine settings.
• Endpoint Detection and Response (EDR): Deploy EDR agents on the Triofox server to detect suspicious process chains, such as the web application spawning command shells or remote access tools.
• User Account Auditing: Regularly audit administrator accounts within the Triofox application. Implement alerts for the creation of new administrative users.

Response Actions:

1. Isolate: Immediately isolate the affected Triofox server from the network to prevent lateral movement.
2. Investigate: Preserve logs and system images for forensic analysis. Hunt for the observables listed above to determine the scope of the compromise.
3. Eradicate: Remove any rogue administrator accounts and malicious files. Revert any unauthorized configuration changes.
4. Recover: Apply the patch from Gladinet (version 16.7.10368.56560 or later). Consider rebuilding the server from a known-good state before restoring data from backups.

Mitigation

• Patch Immediately: The most critical action is to upgrade Triofox to version 16.7.10368.56560 or newer, which remediates this vulnerability.
• Audit Administrator Accounts: Regularly review all accounts with administrative privileges on the Triofox platform and remove any that are not authorized.
• Harden Configurations: If the integrated antivirus feature is not in use, ensure it is disabled. If it is used, restrict the permissions on the directory containing the AV engine executable to prevent modification.
• Network Segmentation: Restrict access to the Triofox server's management interface to a limited set of administrative jump hosts. Block all unnecessary outbound connections from the server.
• Web Application Firewall (WAF): Deploy a WAF with rules to inspect and block malicious requests, such as those with spoofed Host headers.