.png){kind=logo}
CVE-2025-12480: Triofox Zero-Day Exploited to Deploy Remote Access Tools via Antivirus Feature Misuse
- Rescana
- Nov 11
- 5 min read
Executive Summary
A critical security vulnerability in the Triofox enterprise file-sharing and remote access platform, developed by Gladinet, is being actively exploited by sophisticated threat actors. Attackers are leveraging an authentication bypass flaw (CVE-2025-12480, CVSS 9.1) to gain unauthorized administrative access to Triofox servers. By abusing the platform’s antivirus configuration feature, adversaries are able to execute arbitrary code with SYSTEM privileges, leading to the installation of remote access tools such as Zoho Assist and AnyDesk. This exploitation chain enables full system compromise, persistent access, and the potential for lateral movement within affected organizations. The campaign, attributed to the threat cluster UNC6485, highlights the risks of misconfigured security features and underscores the urgent need for immediate patching and robust access controls.
Threat Actor Profile
The primary threat actor exploiting the Triofox vulnerability is tracked as UNC6485 by leading threat intelligence providers, including Mandiant and Google Cloud Threat Intelligence. While not directly linked to a well-known nation-state advanced persistent threat (APT) group, UNC6485 demonstrates a high level of operational sophistication, rapid exploitation of n-day vulnerabilities, and a toolkit consistent with both financially motivated and espionage-focused actors. The group’s tactics, techniques, and procedures (TTPs) include leveraging public-facing application exploits, creating unauthorized administrative accounts, deploying legitimate remote access software for persistence, and using encrypted tunnels for stealthy command and control. The campaign is global in scope, targeting organizations with exposed Triofox management interfaces across multiple sectors.
Technical Analysis of Malware/TTPs
The exploitation chain begins with the abuse of CVE-2025-12480, an authentication bypass vulnerability in Triofox versions prior to 16.7.10368.56560. Attackers manipulate the HTTP Host header to access the platform’s setup and configuration pages without valid credentials. Once inside, they initiate the setup process to create a new native administrative account, often named “Cluster Admin.” With administrative privileges, the adversary uploads a malicious batch script (commonly named centre_report.bat) and configures the antivirus engine path to point to this script. When the antivirus feature is triggered, the script executes with SYSTEM-level privileges inherited from the Triofox process.
The batch script typically downloads and installs the Zoho Unified Endpoint Management System (UEMS) agent from attacker-controlled infrastructure (e.g., 84.200.80[.]252). Subsequently, remote access tools such as Zoho Assist and AnyDesk are deployed, providing the attacker with persistent, interactive access to the compromised host. For lateral movement and defense evasion, tools like Plink and PuTTY are used to establish encrypted SSH tunnels (often on port 433), enabling inbound Remote Desktop Protocol (RDP) sessions that bypass traditional network controls.
The attackers further attempt to escalate privileges by changing passwords and adding accounts to local administrators and “Domain Admins” groups. The use of legitimate remote access tools and encrypted tunnels complicates detection and response efforts, as these activities can blend in with normal administrative operations.
Key indicators of compromise (IOCs) include the presence of unauthorized administrative accounts, unusual antivirus engine paths pointing to non-standard executables or scripts, batch scripts such as centre_report.bat, and outbound connections to known attacker infrastructure. Host-based artifacts may include the installation of Zoho UEMS, AnyDesk, Plink, and PuTTY in atypical directories, as well as suspicious process spawning from the Triofox application context.
Exploitation in the Wild
Active exploitation of the Triofox vulnerability was first observed in late August 2025, shortly after the public disclosure and patch release. The threat actors have demonstrated rapid weaponization of the exploit, targeting organizations with internet-exposed Triofox management interfaces. The attack pattern involves initial exploitation for administrative access, deployment of remote access tools for persistence, and the establishment of encrypted tunnels for stealthy command and control. Multiple organizations across various sectors have reported incidents, with evidence of both opportunistic and targeted attacks. The use of legitimate remote access software and encrypted channels has enabled the attackers to maintain long-term access and evade traditional detection mechanisms.
Victimology and Targeting
The exploitation campaign is global in scope, with no specific industry or geographic focus explicitly identified in public reporting. However, the nature of the Triofox platform—commonly used by enterprises, managed service providers, and organizations requiring secure remote file access—suggests that a broad range of sectors are at risk. Victims are typically organizations with Triofox management interfaces exposed to the internet, lacking robust access controls or timely patching practices. The attackers’ use of widely available remote access tools and generic privilege escalation techniques indicates a focus on maximizing access and persistence rather than targeting specific data or assets. Nevertheless, the potential for data exfiltration, lateral movement, and further compromise remains high, particularly in environments with weak segmentation and monitoring.
Mitigation and Countermeasures
Immediate action is required to mitigate the risk posed by this exploitation campaign. Organizations using Triofox should upgrade to version 16.7.10368.56560 or later, as this release addresses the authentication bypass vulnerability. All administrative accounts should be audited for unauthorized additions, with particular attention to accounts named “Cluster Admin” or those created outside normal provisioning processes. The antivirus engine configuration should be reviewed to ensure it is not set to execute arbitrary scripts or binaries. Network monitoring should be implemented to detect outbound connections to known attacker infrastructure, as well as the presence of remote access tools such as Zoho Assist and AnyDesk.
Access to the Triofox management interface should be restricted to trusted networks, and exposure to the public internet should be minimized or eliminated. Security teams should monitor for the execution of batch scripts and the spawning of command shells from the Triofox process context. Detection rules should be deployed to identify suspicious process activity, file writes to sensitive directories, and the use of SSH tunneling tools like Plink and PuTTY. As an additional precaution, organizations should review and harden their endpoint detection and response (EDR) policies to flag the installation and execution of remote access software.
Incident response plans should be updated to include procedures for identifying and eradicating unauthorized remote access tools, resetting compromised credentials, and conducting thorough forensic analysis of affected systems. Regular vulnerability scanning and patch management are essential to prevent exploitation of both known and emerging threats.
References
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and risk assessment capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure the resilience of critical business operations. For more information about how Rescana can help strengthen your organization’s cybersecurity posture, or for any questions regarding this advisory, please contact us at ops@rescana.com.
