Threat Advisories:
Lazarus Group’s New Comebacker Variant Targets Aerospace & Defense Threat Actors Turn RMM Tools into Backdoor Gateways CVE-2025-12480: Triofox Exploit Turns Trusted Access Into a Security Nightmare Microsoft’s November 2025 Patch Tuesday Roundup Telegram-Powered Credential Theft Campaign Sweeps Europe Critical Zero-Day Exposes Synology Devices to Remote Attacks APT41 Cyber-Espionage Campaign Targets U.S. Policy Institutions I Paid Twice: Inside the Booking.com Phishing Fraud Return of Gootloader: Blending Technical Evasion with Operational Discipline Unmasking Airstalk’s Covert Supply Chain Intrusion WordPress Plugin Bug CVE-2025-11833 Hands Hackers the Admin Throne Silent Lynx APT: Espionage Operations Targeting Central Asia’s Critical Infrastructure SleepyDuck: Trojan Nesting in the Open VSX Marketplace Operation SkyCloak: Covert Cyber Strikes on Russian and Belarusian Military Personnel Typosquatted npm Packages Execute Stealthy CredentialTheft Operation Hijackloader Strikes Colombia with PureHVNC Vietnamese Actors Use Recruitment Lures for Espionage and Theft Qilin Ransomware Surge: A Growing Global Threat to Critical Sectors ClickOnce Deception: SideWinder’s New Path to Diplomats The Gift Card Grinch Uncovered in the Jingle Thief Campaign
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Lazarus Group’s New Comebacker Variant Targets Aerospace & Defense

Red | Attack Report
Download PDF

CVE-2025-12480 Triofox Critical Authentication Bypass Vulnerability Report

Summary

CVE-2025-12480 represents a critical authentication bypass vulnerability affecting Gladinet Triofox versions 16.4.10317.56372 and earlier, enabling unauthenticated attackers to achieve complete administrative control through localhost origin spoofing. This severe security flaw in Triofox file-sharing servers allows threat actors to manipulate HTTP headers, bypassing authentication mechanisms entirely. The vulnerability has been actively exploited by threat actor UNC6485 since August 2025, who leverages this critical Triofox authentication bypass to establish persistent backdoor access, deploy remote administration tools, and conduct extensive data theft operations across compromised Triofox installations globally.

Vulnerability Details

Technical Overview of CVE-2025-12480

The Gladinet Triofox authentication bypass vulnerability CVE-2025-12480 fundamentally compromises the security architecture of affected Triofox file-sharing servers through improper validation of HTTP header origins. Attackers exploiting this critical vulnerability can spoof localhost credentials, gaining unauthorized administrative access to Triofox systems without any authentication requirements. The vulnerability affects all Triofox versions up to and including 16.4.10317.56372 on Windows-based deployments.

Attack Vector and Exploitation Methods

Threat actor UNC6485 has weaponized CVE-2025-12480 through sophisticated attack chains targeting vulnerable Triofox servers worldwide. The authentication bypass exploit enables creation of persistent “Cluster Admin” backdoor accounts, providing unrestricted access to compromised Triofox environments. UNC6485 deploys multiple remote access tools including Zoho Assist and AnyDesk through the vulnerability, establishing redundant command and control infrastructure. The attackers abuse legitimate Triofox components, particularly GladinetCloudMonitor.exe, for system-level code execution and antivirus evasion.

Infrastructure and Persistence Mechanisms

Following successful Triofox authentication bypass exploitation, UNC6485 implements advanced persistence techniques including SSH tunneling via Plink and PuTTY tools, creating encrypted communication channels to command and control servers at IP addresses 85.239.63.37 and 65.109.204.197. The threat actors manipulate antivirus configurations through compromised Triofox administrative privileges, ensuring long-term access while evading detection mechanisms.

Recommendations

Immediate Patching Requirements

Organizations must urgently upgrade all Gladinet Triofox installations to version 16.7.10368.56560 or later to remediate CVE-2025-12480. This critical authentication bypass vulnerability is under active exploitation, making immediate patching essential for preventing unauthorized administrative access to Triofox file-sharing infrastructure. Security teams should prioritize Triofox updates as zero-day mitigation, given confirmed threat actor UNC6485 activity targeting vulnerable systems.

Comprehensive Security Audit Procedures

Conduct thorough reviews of all administrative accounts within Triofox environments, specifically searching for unauthorized “Cluster Admin” accounts created through CVE-2025-12480 exploitation. Monitor GladinetCloudMonitor.exe processes for suspicious subprocess spawning indicative of authentication bypass abuse. Security teams must actively hunt for indicators of compromise including connections to known UNC6485 command and control infrastructure at IP addresses 85.239.63.37 and 65.109.204.197.

Access Control Hardening Measures

Configure the TrustedHostIP parameter within Triofox web.config files to restrict administrative interface access exclusively to internal IP ranges, preventing external authentication bypass attempts. Implement Zero Trust authentication architectures regardless of network location, ensuring proper identity verification even for localhost-originating requests. Organizations should restrict Triofox administrative capabilities through principle of least privilege, minimizing potential impact from future authentication vulnerabilities.

Indicators of Compromise (IoCs)

Network Indicators
  • Command and Control IP: 85.239.63.37 (UNC6485 infrastructure)
  • Command and Control IP: 65.109.204.197 (UNC6485 infrastructure)
  • Unauthorized administrative account: “Cluster Admin”
  • Suspicious process spawning from GladinetCloudMonitor.exe
  • Presence of remote access tools: Zoho Assist, AnyDesk
  • SSH tunneling tools: Plink.exe, PuTTY installations
  • Modified antivirus configurations enabling code execution

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox