Threat actors are exploiting a vulnerability in Gladinet’s Triofox file-sharing and remote access platform, chaining it with the abuse of the built-in anti-virus feature to achieve code execution.
The flaw, tracked as CVE-2025-12480, allows an attacker to bypass authentication and get access to configuration pages, enabling uploads and execution of arbitrary payloads. Mandiant said it observed a threat cluster tracked as UNC6485 weaponizing the vulnerability as early as August 24, 2025, nearly a month after Gladinet released fixes in Triofox version 16.7.10368.56560.
Attackers abused the unauthenticated access to run the setup process and create a new admin account named ‘Cluster Admin.’ Using that account, the adversaries uploaded malicious files via Triofox’s built-in antivirus configuration and executed them.
“To set up the anti-virus feature, the user is allowed to provide an arbitrary path for the selected anti-virus. The file configured as the anti-virus scanner location inherits the Triofox parent process account privileges, running under the context of the SYSTEM account,” the researchers explained.
Mandiant said the attackers executed a malicious batch script, which downloaded a Zoho Unified Endpoint Management System (UEMS) installer from 84.200.80[.]252 and used it to deploy remote-access programs such as Zoho Assist and AnyDesk. Zoho Assist sessions were used for reconnaissance and to attempt privilege escalation by changing passwords and adding accounts to local Administrators and the Domain Admins group.
To evade detection and maintain access, the actors also downloaded tools including Plink and PuTTY to establish an encrypted SSH tunnel to a command-and-control server over port 433, reportedly to allow inbound RDP traffic. Mandiant said the campaign’s ultimate objective remains unclear.
This is the third Triofox vulnerability observed under active exploitation this year, following CVE-2025-30406 and CVE-2025-11371. According to Gladinet’s release notes for the patched version, protection for the initial configuration pages had been added and the pages “can no longer be accessed after Triofox has been set up.”
Triofox users are strongly advised to update to the latest patched version, audit admin accounts, and verify that the antivirus engine is not configured to execute unauthorized scripts or binaries.