{"id":8356,"date":"2025-11-11T10:04:15","date_gmt":"2025-11-11T10:04:15","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/11\/11\/hackers-exploiting-triofox-0-day-vulnerability-to-execute-malicious-payload-abusing-anti-virus-feature\/"},"modified":"2025-11-11T10:04:15","modified_gmt":"2025-11-11T10:04:15","slug":"hackers-exploiting-triofox-0-day-vulnerability-to-execute-malicious-payload-abusing-anti-virus-feature","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/11\/11\/hackers-exploiting-triofox-0-day-vulnerability-to-execute-malicious-payload-abusing-anti-virus-feature\/","title":{"rendered":"Hackers Exploiting Triofox 0-Day Vulnerability to Execute Malicious Payload Abusing Anti-Virus Feature"},"content":{"rendered":"

Hackers Exploiting Triofox 0-Day Vulnerability to Execute Malicious Payload Abusing Anti-Virus Feature
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Google Mandiant has disclosed active exploitation of\u00a0CVE-2025-12480, a critical unauthenticated access vulnerability in Gladinet\u2019s Triofox<\/a> file-sharing platform.<\/p>\n

The threat cluster tracked as\u00a0UNC6485\u00a0has been weaponizing this flaw since August 2025 to gain unauthorized administrative access and establish persistent remote control over compromised systems.<\/p>\n

The vulnerability stems from improper access control validation in Triofox versions 16.4.10317.56372 and earlier.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n
Attribute<\/strong><\/th>\nDetails<\/strong><\/th>\n<\/tr>\n<\/thead>\n
CVE ID<\/strong><\/td>\nCVE-2025-12480<\/td>\n<\/tr>\n
Vendor<\/strong><\/td>\nGladinet<\/td>\n<\/tr>\n
Product<\/strong><\/td>\nTriofox<\/td>\n<\/tr>\n
Vulnerability Type<\/strong><\/td>\nUnauthenticated Access Control \/ Host Header Injection<\/td>\n<\/tr>\n
Severity<\/strong><\/td>\nCritical<\/td>\n<\/tr>\n
CVSS Score<\/strong><\/td>\n9.8 (estimated)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Threat Actors Leverage the HTTP Host Header Attack<\/strong><\/h2>\n

Attackers exploit an HTTP host header injection technique, modifying the Host header to \u201clocalhost\u201d to bypass authentication checks and access the sensitive AdminDatabase.aspx configuration page.<\/p>\n

This page typically displays only during initial setup. However, it becomes exposed when the authentication function CanRunCriticalPage() fails to validate the request origin properly.<\/p>\n

\"exploitation
exploitation chain<\/em><\/figcaption><\/figure>\n

Once authenticated, attackers create new administrative accounts and escalate privileges <\/a>within the application.<\/p>\n

The exploitation chain becomes particularly dangerous when combined with\u00a0Triofox\u2019s built-in anti-virus feature misconfiguration.<\/p>\n

Attackers can set arbitrary executable paths for the anti-virus<\/a> scanner, which then runs under the SYSTEM account the highest privilege level in Windows environments.<\/p>\n

Antivirus Feature Misconfiguration<\/strong><\/h2>\n

In documented attacks, threat actors uploaded malicious batch scripts to published file shares, then configured them as the anti-virus engine path.<\/p>\n

\"Anti-virus
Anti-virus engine path set to a malicious batch script<\/em><\/figcaption><\/figure>\n

When files are uploaded to the share, the malicious script executes automatically with SYSTEM privileges, enabling complete system compromise. Post-exploitation activities reveal the severity of these breaches.<\/p>\n

Attackers deployed Zoho Unified Endpoint Management agents, followed by AnyDesk. They renamed the Plink utilities to establish encrypted SSH reverse tunnels to command-and-control<\/a> servers.<\/p>\n

This infrastructure enabled attackers to forward RDP traffic over encrypted channels, maintaining persistent remote desktop access while evading network-based detection systems.<\/p>\n

Mandiant successfully contained the<\/a> affected environment within 16 minutes of alert detection, leveraging Google Security<\/a> Operations\u2019 composite detection capabilities.<\/p>\n

Identifying anomalous remote access tool deployment and suspicious file staging activities.<\/p>\n

\"Overview
Overview of the post-exploitation activity<\/em><\/figcaption><\/figure>\n

Gladinet released a patched version 16.7.10368.56560<\/a> addressing the vulnerability.<\/p>\n

Mandiant recommends immediate upgrades across all affected deployments and comprehensive audits of administrative accounts.<\/p>\n

Verification that anti-virus engines execute only authorized binaries, and monitoring for anomalous outbound SSH tunnel traffic indicating potential compromise or lateral movement attempts within enterprise networks.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Hackers Exploiting Triofox 0-Day Vulnerability to Execute Malicious Payload Abusing Anti-Virus Feature<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Hackers Exploiting Triofox 0-Day Vulnerability to Execute Malicious Payload Abusing Anti-Virus Feature Google Mandiant has disclosed active exploitation of\u00a0CVE-2025-12480, a critical unauthenticated access vulnerability in Gladinet\u2019s Triofox file-sharing platform. The threat cluster tracked as\u00a0UNC6485\u00a0has been weaponizing this flaw since August 2025 to gain unauthorized administrative access and establish persistent remote control over compromised systems. The […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,2024,648],"tags":[130],"class_list":["post-8356","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-latest-cybersecurity-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8356"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8356"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8356\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}