Triofox Antivirus Feature Abused for SYSTEM-Level Code Execution

A critical vulnerability in Gladinet’s Triofox file-sharing platform has been actively exploited by threat actors to bypass authentication and abuse a built-in antivirus feature, achieving remote code execution with the highest level of SYSTEM privileges^{1, 2}. The attack, attributed to a group tracked as UNC6485, leverages CVE-2025-12480, an authentication bypass flaw with a CVSS score of 9.1³. This marks the third critical vulnerability in Triofox to be exploited in the wild this year, following CVE-2025-30406 and CVE-2025-11371⁴. The exploitation chain is notable for its clever misuse of a legitimate security feature to deploy persistent remote access tools like Zoho Assist and AnyDesk.

For security leadership, the key takeaway is the immediate need to patch Triofox installations and audit for unauthorized administrative accounts. The attack demonstrates a sophisticated method of turning a defensive feature into an offensive weapon, achieving full system control.

* **Vulnerability:** CVE-2025-12480, a critical (CVSS 9.1) authentication bypass in Triofox.
* **Threat Actor:** UNC6485, actively exploiting the flaw since at least August 2025.
* **Attack Method:** Bypass authentication, create a new admin account, and reconfigure the built-in antivirus scanner to execute a malicious script with SYSTEM privileges.
* **Impact:** Full remote code execution, deployment of RATs (Zoho Assist, AnyDesk), and establishment of covert SSH tunnels for persistence.
* **Mitigation:** Upgrade to Triofox version 16.7.10368.56560 or newer, with a strong recommendation for version 16.10.10408.56683.

Technical Breakdown of CVE-2025-12480

The root cause of CVE-2025-12480 lies in an improper access control check within the `CanRunCriticalPage()` function⁵. This function, which controls access to critical configuration pages, relied on an unvalidated HTTP Host header for authorization. If the request’s Host header was set to “localhost”, the function would grant access, operating under the assumption that such a request must originate from the machine itself⁶. As researchers from Mandiant explained, this logic is fundamentally flawed: “if the optional TrustedHostIp parameter is not configured in web.config, the ‘localhost’ check becomes the sole gatekeeper, leaving default installations exposed to unauthenticated access”⁶. This vulnerability affects all Gladinet Triofox versions prior to 16.7.10368.56560, and a patch was released in late June/July 2025. The patch notes explicitly state that protection was added for initial configuration pages, which can no longer be accessed after Triofox has been set up⁷.

The UNC6485 Exploitation Chain

The threat actor UNC6485, tracked by Google’s Mandiant and Google Threat Intelligence Group, began exploiting this vulnerability in the wild as early as August 24, 2025⁸. The attack follows a multi-stage process that transforms an unauthenticated web request into full system control. The initial step involves sending HTTP GET requests to Triofox configuration pages, such as `AdminDatabase.aspx`, with the Host or Referer header spoofed to “localhost”^{5, 9}. This simple header manipulation bypasses authentication entirely, granting the attacker access to the platform’s setup wizard. From there, the attackers use the `AdminAccount.aspx` page, which redirects to `InitAccount.aspx`, to run the Triofox initialization process and create a new, fully privileged native administrator account named “Cluster Admin”^{1, 6}.

After establishing a persistent administrative foothold, the attackers execute the most ingenious part of their campaign: the abuse of the built-in antivirus feature. Logging in with the newly created “Cluster Admin” account, they upload a malicious batch script named `centre_report.bat` to the server. Within the Triofox admin interface, they then reconfigure the built-in antivirus engine’s scanner path to point directly to this malicious script^{2, 6}. The critical technical detail here is the privilege context in which this “antivirus” script runs. Mandiant’s analysis confirms that “The file configured as the anti-virus scanner location inherits the Triofox parent process account privileges, running under the context of the SYSTEM account”^{6, 10}. This means any file uploaded to a published share would trigger the execution of the attacker’s script with the highest possible privileges on a Windows system.

Payload Deployment and Post-Exploitation Activity

With the malicious `centre_report.bat` script configured to run as SYSTEM, the attackers could now achieve reliable and high-integrity code execution. The batch file acted as a downloader, using a PowerShell command to retrieve a payload from the IP address 84.200.80[.]252^{1, 6}. The payload was disguised as a Zoho Unified Endpoint Management System (UEMS) installer, saved to the system as `SAgentInstaller_16.7.10368.56560.exe` within the `C:\Windows\appcompat\` directory^{2, 6}. This installer was then used to deploy legitimate remote access tools, specifically Zoho Assist and AnyDesk, providing the attackers with direct and persistent remote control over the compromised host. Using Zoho Assist, the actors performed reconnaissance, enumerating SMB sessions and user information, and attempted to change user passwords and add them to privileged groups like “Domain Admins” and local “Administrators”^{1, 2}.

For stealthy command-and-control and lateral movement, UNC6485 employed additional evasion techniques. They downloaded tools like Plink and PuTTY to establish an encrypted SSH tunnel from the victim machine to their C2 server at 216.107.136[.]46 over port 433^{2, 6}. This tunnel was used to covertly forward RDP traffic (port 3389) to the victim machine, allowing the attackers to interact with the system remotely while blending their traffic into common encrypted protocols, making detection more difficult for network monitoring tools.

Detection and Mitigation Strategies

A multi-layered approach is required to detect and mitigate this attack. The primary and most critical step is immediate patching. All Triofox instances must be upgraded to the patched version 16.7.10368.56560 or newer. Researchers strongly recommend applying the latest security update present in version 16.10.10408.56683, released on October 14, 2025, as it also addresses previous critical flaws like CVE-2025-11371⁶. Beyond patching, organizations should conduct a thorough audit of all administrator accounts on Triofox systems, specifically hunting for the unauthorized “Cluster Admin” account or any other unexpected administrative users created around the time of the exploitation window. A review of the Triofox antivirus engine configuration is also essential to ensure it has not been pointed to an unauthorized script or binary.

For proactive threat hunting, security teams should monitor for several key indicators of compromise. Network traffic should be scrutinized for anomalous outbound SSH connections, particularly to unfamiliar IP addresses over non-standard ports like 433. Endpoint detection systems should be configured to alert on the creation or execution of specific files associated with this campaign, including `centre_report.bat`, `SAgentInstaller_16.7.10368.56560.exe`, and Zoho Assist components like `sihosts.exe` and `silcon.exe`. Special attention should be paid to the `C:\Windows\appcompat\` directory, which was used for payload staging. Security teams can also utilize curated detection rules, such as Sigma rules available on platforms like SOC Prime, which are tagged for “UNC6485” and “CVE-2025-12480” to aid in identification⁹.

The exploitation of CVE-2025-12480 by UNC6485 is a stark reminder of the risks associated with feature abuse in enterprise software. By turning a defensive antivirus mechanism into an offensive tool for SYSTEM-level execution, the attackers demonstrated a high level of sophistication. This incident underscores the continuous need for robust patch management processes, diligent configuration reviews, and proactive threat hunting. For organizations relying on Triofox, immediate action to apply the available patches and conduct the recommended audits is not just advisable but necessary to prevent compromise. The recurrence of critical vulnerabilities in this platform also suggests that a broader security review of its deployment may be warranted.