Triofox Zero-Day Exploited To Deliver Malware Through Antivirus Functionality

Mandiant Threat Defense has uncovered exploitation of an unauthenticated access vulnerability within Gladinet’s Triofox file-sharing and remote access platform.

This now-patched n-day vulnerability, assigned CVE-2025-12480, allowed an attacker to bypass authentication and access the application configuration pages, enabling the upload and execution of arbitrary payloads.

As early as Aug. 24, 2025, a threat cluster tracked by Google Threat Intelligence Group (GTIG) under the UNC6485 label exploited an unauthenticated access vulnerability and chained it with the abuse of the built-in antivirus feature to achieve code execution.

The activity discussed leveraged a vulnerability in Triofox version 16.4.10317.56372, which was mitigated in release 16.7.10368.56560.

Gladinet engaged with Mandiant on our findings, and Mandiant has validated that this vulnerability is resolved in new versions of Triofox.​

Triofox Zero-Day Exploited To Deliver Malware Through Antivirus Functionality

Mandiant leverages Google Security Operations (SecOps) to detect, investigate, and respond to security incidents across our customer base.

For this investigation, Mandiant received a composite detection alert identifying potential threat actor activity on a customer’s Triofox server, spotting the deployment of remote access utilities and file activity in staging directories.

Within 16 minutes, Mandiant confirmed the threat and initiated containment.

The probe revealed an unauthenticated access flaw allowing configuration page access; UNC6485 used it to run the initial setup, creating a new native admin account called “Cluster Admin” for subsequent actions.

The exploitation began with a suspicious HTTP GET request featuring a localhost Referer URL from an external IP, which is irregular for legitimate traffic.

Standard requests to AdminAccount.aspx or AdminDatabase.aspx redirected to Access Denied, but attackers modified the Host header to “localhost,” bypassing controls via an HTTP host header attack.

This granted access to the setup pages intended for initial installation, leading to the creation of an admin account.

Code analysis of the CanRunCriticalPage() function in GladPageUILib.dll showed it granted access when the Host equaled “localhost,” without origin validation or robust trusted IP checks.

To execute code, the attacker logged in with the new admin account and abused the antivirus feature by setting its path to a malicious batch script, inheriting SYSTEM privileges.

Uploading files to shared folders triggered the script, which downloaded a Zoho Unified Endpoint Management installer from a malicious URL and deployed Zoho Assist and AnyDesk for remote access.

Post-exploitation included reconnaissance via SMB enumeration, password changes, and privilege escalations to Domain Admins.

To evade detection, renamed Plink (sihosts.exe) and PuTTY (silcon.exe), then created an SSH reverse tunnel on port 433, forwarding RDP traffic to the attacker’s C2 server.

While patched in version 16.7.10368.56560, Mandiant recommends upgrading immediately, auditing admin accounts, verifying antivirus configurations, and hunting for tools like those in SecOps rules. Monitor anomalous SSH traffic to detect compromises.