CriticalCISA KEVExploited in the wildPublic exploit

Authentication Bypass and RCE in Gladinet Triofox

IdentifiersCVE-2025-12480CWE-284· Improper Access Control

CVE-2025-12480 is an improper access control vulnerability in Gladinet Triofox affecting versions prior to 16.7.10368.56560. After initial deployment, Triofox is intended to block access to setup and configuration pages, but the vulnerable access-control logic can be bypassed by manipulating the HTTP Host header, specifically by supplying a value of "localhost". Reporting identifies the vulnerable logic in CanRunCriticalPage() within GladPageUILib.dll, which incorrectly trusts the Host header as an indicator of local origin. This allows an unauthenticated remote attacker to reach sensitive setup pages such as AdminAccount.aspx and AdminDatabase.aspx even after setup is complete, rerun the initial setup workflow, and create a new native administrative account. In observed exploitation, attackers then abused Triofox’s built-in anti-virus feature by configuring the anti-virus engine path to an attacker-controlled script or binary. When a file was uploaded to a published share, Triofox executed the configured program with SYSTEM privileges, enabling arbitrary code execution on the host. Active exploitation in the wild by UNC6485 was reported against Triofox 16.4.10317.56372, and shared functionality may also affect Gladinet CentreStack.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation permits unauthenticated compromise of exposed Triofox servers. An attacker can bypass authentication, access privileged configuration functions, create rogue administrative accounts, and then achieve SYSTEM-level code execution by abusing the anti-virus execution path. This can lead to full host compromise, deployment of remote management tools, persistence, credential and account manipulation, lateral movement, data theft, and use of the server as an internal pivot point. Observed post-exploitation activity included deployment of Zoho UEMS, Zoho Assist, and AnyDesk, as well as SSH reverse tunneling for external RDP access.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict network access to Triofox management and setup interfaces using firewall or reverse-proxy controls, limiting access to trusted administrative sources only. Monitor for external requests with a Host header of "localhost" or other anomalous Host values. Audit for unexpected access to setup pages, creation of new admin accounts, and changes to anti-virus engine settings. Monitor for suspicious outbound SSH traffic, reverse tunnels, unexpected binaries in temporary or system directories, and installation of remote administration tools such as Zoho Assist or AnyDesk. Inventory all Triofox and related CentreStack instances and verify exposure.

Remediation

Patch, then assume compromise.

Upgrade Gladinet Triofox to version 16.7.10368.56560 or later; some reporting also recommends upgrading to the latest available release, including 16.10.10408.56683, to ensure all related fixes are applied. Validate that the vulnerable setup/configuration pages are no longer reachable after installation is complete. Review all Triofox administrative accounts for unauthorized additions, especially newly created native admin accounts. Inspect and correct the Anti-virus Engine configuration to ensure it does not reference unauthorized scripts or binaries. If compromise is suspected, collect logs and perform forensic review for indicators such as suspicious Host header access, unexpected file uploads, remote access tool installation, and outbound SSH tunneling activity.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GladinetTriofoxapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

93 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

93 SOURCESView more in app

sentinelone blogNews

Dec 25, 2025

The Best, the Worst and the Ugliest in Cybersecurity | 2025 Edition

A zero-day vulnerability in Triofox (CVE-2025-12480) that allows full system compromise and has been actively exploited in the wild.

cyberthroneNews

Dec 23, 2025

Top 25 Most Exploited Vulnerabilities 2025

An access control bypass in Gladinet Triofox allowing attackers to gain admin access by reusing installation artifacts.

vulncheck blogNews

Dec 18, 2025

Tales from the Exploit Mines: Gladinet Triofox CVE-2025-12480 RCE

A critical remote code execution vulnerability in Gladinet Triofox, arising from an authentication bypass via improper validation of the Host header, allowing attackers to access administrative configuration pages and ultimately achieve remote code execution. The vulnerability was exploited as a zero-day in the wild.

cyber security newsNews

Dec 12, 2025

Top 20 Most Exploited Vulnerabilities of 2025: A Comprehensive Analysis

An improper access control vulnerability in Gladinet Triofox allowing unauthenticated attackers to create admin accounts and execute code as SYSTEM.

+11 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence4

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures3

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity76

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-12480

NVD

nvd.nist.gov/vuln/detail/CVE-2025-12480

MITRE CWE · CWE-284

Improper Access Control

Third Party Advisory

cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480

Third Party Advisory

github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0008.md

Release Notes

access.triofox.com/releases_history

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-12480

Product

triofox.com