Hackers exploited a critical vulnerability and the built-in antivirus feature in Gladinet's Triofox file-sharing and remote-access platform to achieve remote code execution with SYSTEM privileges.
The security issue leveraged in the attack is CVE-2025-12480 and can be used to bypass authentication and obtain access to the application's setup pages.
Security researchers at Google Threat Intelligence Group (GTIG) discovered the malicious activity on August 24, after a threat cluster tracked internally as UNC6485 targeted a Triofox server running version 16.4.10317.56372, released on April 3.
The root cause for CVE-2025-12480 is an access control logic gap where admin access is granted when the application's request URL host equals 'localhost.'
This allows attackers to spoof this value via the HTTP Host header and bypass all authentication checks.
Mandiant explains that, if the optional TrustedHostIp parameter is not configured in web.config, the 'localhost' check becomes the sole gatekeeper, leaving default installations exposed to unauthenticated access.
A fix for CVE-2025-12480 became available in Triofox version 16.7.10368.56560, released on July 26, and GTIG researchers confirmed with the vendor that the flaw was addressed.
Abusing the antivirus feature
Mandiant's investigation determined that UNC6485 exploited the vulnerability by sending an HTTP GET request with the localhost in the HTTP Referer URL.
"The presence of the localhost host header in a request originating from an external source is highly irregular and typically not expected in legitimate traffic," the researchers explain.
... continue reading