Threat Advisories:
Lazarus Group’s New Comebacker Variant Targets Aerospace & Defense Threat Actors Turn RMM Tools into Backdoor Gateways CVE-2025-12480: Triofox Exploit Turns Trusted Access Into a Security Nightmare Microsoft’s November 2025 Patch Tuesday Roundup Telegram-Powered Credential Theft Campaign Sweeps Europe Critical Zero-Day Exposes Synology Devices to Remote Attacks APT41 Cyber-Espionage Campaign Targets U.S. Policy Institutions I Paid Twice: Inside the Booking.com Phishing Fraud Return of Gootloader: Blending Technical Evasion with Operational Discipline Unmasking Airstalk’s Covert Supply Chain Intrusion WordPress Plugin Bug CVE-2025-11833 Hands Hackers the Admin Throne Silent Lynx APT: Espionage Operations Targeting Central Asia’s Critical Infrastructure SleepyDuck: Trojan Nesting in the Open VSX Marketplace Operation SkyCloak: Covert Cyber Strikes on Russian and Belarusian Military Personnel Typosquatted npm Packages Execute Stealthy CredentialTheft Operation Hijackloader Strikes Colombia with PureHVNC Vietnamese Actors Use Recruitment Lures for Espionage and Theft Qilin Ransomware Surge: A Growing Global Threat to Critical Sectors ClickOnce Deception: SideWinder’s New Path to Diplomats The Gift Card Grinch Uncovered in the Jingle Thief Campaign
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

CVE-2025-12480: Triofox Exploit Turns Trusted Access Into a Security Nightmare

Red | Vulnerability Report
Download PDF

CVE-2025-12480: Critical Triofox Security Vulnerability Exploited by UNC6485 Threat Actor

Summary

The CVE-2025-12480 vulnerability in Gladinet Triofox software represents a critical security flaw actively exploited by threat actor group UNC6485 since August 2025. This Triofox vulnerability enables unauthorized administrative access through authentication bypass, allowing attackers to gain full system control without credentials. The CVE-2025-12480 exploit targets Triofox version 16.4.10317.56372 and earlier, creating unauthorized admin accounts and deploying remote access tools including Zoho Assist and AnyDesk. Organizations using vulnerable Triofox versions face immediate risk of data theft and network compromise through this CVE-2025-12480 security flaw.

Vulnerability Details

Critical Access Control Weakness in Triofox CVE-2025-12480

The CVE-2025-12480 Triofox vulnerability stems from improper access control implementation that grants administrative privileges when requests appear to originate from localhost. Threat actor UNC6485 exploits this Triofox security flaw by manipulating HTTP Host or Referer headers, effectively bypassing authentication mechanisms. The vulnerability affects Gladinet Triofox systems where the TrustedHostIp parameter remains unconfigured, leaving administrative interfaces exposed to unauthenticated access.

UNC6485 Attack Chain Exploiting CVE-2025-12480

The UNC6485 threat group’s exploitation of CVE-2025-12480 follows a sophisticated attack pattern. Attackers first access Triofox’s AdminDatabase.aspx setup page through the authentication bypass vulnerability. They create a malicious administrator account named “Cluster Admin” and upload harmful scripts to the compromised Triofox system. The threat actors reconfigure the platform’s antivirus feature to execute their malicious code with system-level privileges, demonstrating the severity of the CVE-2025-12480 vulnerability.

Remote Access Tool Deployment via Triofox Exploit

Following initial compromise through CVE-2025-12480, UNC6485 deploys multiple persistence mechanisms on affected Triofox servers. The malicious script downloads a Zoho UEMS installer that subsequently installs Zoho Assist and AnyDesk remote access tools. Attackers utilize Plink and PuTTY to establish SSH tunnels, forwarding traffic to the host’s RDP port and creating encrypted connections to command-and-control servers. This multi-layered approach to exploiting the Triofox CVE-2025-12480 vulnerability enables persistent access and lateral movement across compromised networks.

Recommendations

Immediate Triofox Software Update to Patch CVE-2025-12480

Organizations must urgently upgrade all Triofox deployments to version 16.7.10368.56560 or newer to remediate the CVE-2025-12480 vulnerability. This critical Triofox security update addresses the authentication bypass flaw exploited by UNC6485 threat actors. Delayed patching of the CVE-2025-12480 vulnerability leaves servers exposed to active exploitation and potential full system compromise.

Comprehensive Administrative Account Audit for Triofox Systems

Conduct thorough review of all administrator accounts within Triofox environments potentially affected by CVE-2025-12480. Search specifically for suspicious accounts including “Cluster Admin” or any administrative accounts created after August 2025 when UNC6485 exploitation began. Remove all unauthorized entries discovered during the CVE-2025-12480 incident response and reset passwords for legitimate administrator accounts.

Monitor Process Activity for CVE-2025-12480 Exploitation Indicators

Implement continuous monitoring for GladinetCloudMonitor.exe launching command-line tools including cmd.exe or PowerShell, which indicates potential CVE-2025-12480 exploitation. Track system processes for unusual command execution patterns consistent with the compromised antivirus configuration attack vector used in Triofox vulnerability exploitation.

Restrict Administrative Access Points to Prevent CVE-2025-12480 Attacks

Update Triofox web.config files to properly define the TrustedHostIP parameter, addressing the core CVE-2025-12480 vulnerability. Restrict administrative interface access to trusted internal IP addresses only, preventing attackers from exploiting the localhost bypass flaw through spoofed headers targeting the Triofox vulnerability.

Implement Zero Trust Authentication for Triofox Security

Apply Zero Trust principles to all Triofox access control mechanisms as defense against CVE-2025-12480 and similar vulnerabilities. Require authentication and authorization at the application layer regardless of network location or IP origin, preventing exploitation of internal-trust assumptions that enabled the Triofox CVE-2025-12480 vulnerability.

Indicators of Compromise (IoCs)

Network Indicators for CVE-2025-12480 Exploitation
  • Malicious URLs: hxxp[:]//84[.]200[.]80[.]252/SAgentInstaller_16[.]7[.]10368[.]56560[.]zip
  • Command and Control IPs: 85[.]239[.]63[.]37, 65[.]109[.]204[.]197, 84[.]200[.]80[.]252, 216[.]107[.]136[.]46
File System Artifacts from Triofox CVE-2025-12480 Attacks
  • C:\Windows\appcompat\SAgentInstaller_16.7.10368.56560.exe
  • C:\Windows\temp\sihosts.exe
  • C:\Windows\temp\silcon.exe
  • C:\Windows\temp\file.exe
  • C:\triofox\centre_report.bat
Malicious File Hashes Associated with CVE-2025-12480
  • SHA256: 43c455274d41e58132be7f66139566a941190ceba46082eb2ad7a6a261bfd63f
  • SHA256: 50479953865b30775056441b10fdcb984126ba4f98af4f64756902a807b453e7
  • SHA256: 16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc77b25a9083f28ad
  • SHA256: ac7f226bdf1c6750afa6a03da2b483eee2ef02cd9c2d6af71ea7c6a9a4eace2f

MITRE ATT&CK TTPs

Initial Access and Execution Techniques in CVE-2025-12480 Exploitation
  • T1190 – Exploit Public-Facing Application: Direct exploitation of Triofox CVE-2025-12480 vulnerability
  • T1068 – Exploitation for Privilege Escalation: Leveraging access control weakness in Triofox
  • T1569.002 – Service Execution: Running malicious services through compromised Triofox systems
Persistence and Defense Evasion in Triofox Attacks
  • T1136.001 – Create Local Account: Creation of “Cluster Admin” account via CVE-2025-12480
  • T1098 – Account Manipulation: Modifying Triofox administrative privileges
  • T1562.001 – Disable or Modify Tools: Reconfiguring antivirus features in compromised Triofox
Command and Control Infrastructure for CVE-2025-12480 Attacks
  • T1219 – Remote Access Tools: Deployment of Zoho Assist and AnyDesk on Triofox servers
  • T1572 – Protocol Tunneling: SSH tunneling via Plink for persistent Triofox access
  • T1105 – Ingress Tool Transfer: Downloading attack tools to compromised Triofox systems

References

Official CVE-2025-12480 Triofox Vulnerability Documentation

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox