No Place Like Localhost Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480

Mandiant Threat Defense has uncovered exploitation of an unauthenticated access vulnerability within Gladinet’s Triofox file-sharing and remote access platform. This now-patched n-day vulnerability, assigned CVE-2025-12480, allowed an attacker to bypass authentication and access the application configuration pages, enabling the upload and execution of arbitrary payloads.

As early as Aug. 24, 2025, a threat cluster tracked by Google Threat Intelligence Group (GTIG) as UNC6485 exploited the unauthenticated access vulnerability and chained it with the abuse of the built-in anti-virus feature to achieve code execution.

The activity discussed in this blog post leveraged a vulnerability in Triofox version 16.4.10317.56372, which was mitigated in release 16.7.10368.56560.

While this vulnerability is patched in the Triofox version 16.7.10368.56560, Mandiant recommends upgrading to the latest release. Additionally, Mandiant recommends auditing admin accounts and verifying that Triofox’s Anti-virus Engine is not configured to execute unauthorized scripts or binaries.

Security teams should also hunt for attacker tools using our hunting queries listed at the bottom of this post and monitor for anomalous outbound SSH traffic.

To read the complete article see:
https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480