CVE-2025-12480

What is Gladinet Triofox?

Gladinet Triofox is an enterprise on-premises file sharing and collaboration platform (similar to CentreStack but with a focus on team collaboration features). Like CentreStack, Triofox is built on ASP.NET and deployed on Windows Server / IIS. Triofox includes a built-in antivirus engine integration that scans uploaded files — this feature, ironically, became the escalation path for code execution in the observed attacks. This is the third critical Gladinet vulnerability exploited in 2025 (alongside CVE-2025-30406 and CVE-2025-14611), making Gladinet a persistent high-value target in 2025.

Overview

CVE-2025-12480 is a critical improper access control vulnerability (CWE-284, CVSS 9.1) in Gladinet Triofox. The initial setup pages remain accessible after installation is complete because the access control function (CanRunCriticalPage()) grants admin access based on the HTTP Host header rather than the actual connection origin. By sending Host: localhost, any unauthenticated attacker can access AdminDatabase.aspx and the setup workflow — creating a native Cluster Admin account. The threat actor UNC6485 exploited this beginning August 24, 2025, then abused Triofox's built-in AV engine configuration to execute arbitrary commands as SYSTEM, and deployed AnyDesk, Zoho Assist, and SSH reverse tunnels for persistence.

Affected Versions

Note: The patch was released on July 26, 2025 — approximately 3.5 months before CVE publication. Exploitation began August 24, 2025, while most organizations were still running unpatched versions.

Technical Details

The vulnerability (CWE-284: Improper Access Control) is in Triofox's CanRunCriticalPage() function in GladPageUILib.GladBasePage. This function controls access to post-setup administrative pages. It grants admin access when Request.Url.Host equals "localhost". The critical flaw: ASP.NET builds Request.Url from the attacker-controlled Host HTTP header, not from the actual TCP connection's local address. No origin validation is performed.

Exploit chain (UNC6485 post-exploitation):

1. Set Host: localhost header (optionally with matching Referer) → bypass all authentication → access AdminDatabase.aspx and setup pages
2. Create a new native Cluster Admin account → full administrative access to Triofox
3. Navigate to the Antivirus Engine configuration page → point the AV scan executable to a malicious batch script: cmd.exe /c "c:\triofox\centre_report.bat" ... → The AV process runs as SYSTEM
4. Upload a file to Triofox → trigger the AV scan → execute the malicious batch script as SYSTEM
5. Deploy AnyDesk, Zoho Assist (remote access tools), renamed Plink/PuTTY (silcon.exe, sihosts.exe) for persistent access
6. Establish SSH reverse tunnels to C2 infrastructure for covert command-and-control
7. Attempt lateral movement — including attempts to add accounts to the Domain Admins group

Discovery

Mandiant (Google Threat Intelligence) detected the active exploitation campaign by UNC6485 and published analysis in November 2025.

Exploitation Context

Threat actor UNC6485 — a previously untracked group identified by Mandiant — began exploiting CVE-2025-12480 as a zero-day on August 24, 2025, over two months before CVE publication. Attack infrastructure IPs: 85.239.63[.]37, 65.109.204[.]197, 84.200.80[.]252; C2 at 216.107.136[.]46. CISA added CVE-2025-12480 to the KEV catalog on November 12, 2025 — two days after CVE publication — with a December 3 remediation deadline. UNC6485's use of the AV engine as a SYSTEM code execution path demonstrates sophisticated understanding of the product's internal architecture beyond simply exploiting the authentication bypass.

Remediation

1. Upgrade Triofox to version 16.7.10368.56560 or later immediately.
2. Check for newly created Cluster Admin accounts: review Triofox administration → User Management for accounts created after installation, especially accounts not created by known administrators.
3. Review AV engine configuration: check the Triofox antivirus scan executable path for unauthorized modifications pointing to batch scripts or executables in non-standard locations.
4. Hunt for UNC6485 tools: check for AnyDesk, Zoho Assist, silcon.exe, sihosts.exe, and SSH reverse tunnel processes on the Triofox server and adjacent systems.
5. Block C2 infrastructure: block IPs 85.239.63[.]37, 65.109.204[.]197, 84.200.80[.]252, 216.107.136[.]46 at perimeter firewalls.
6. Audit Active Directory for unauthorized additions to Domain Admins or other privileged groups.
7. Restrict Triofox web access to authenticated users — ensure the setup pages and admin portal require valid credentials before any content is served.