Hackers Exploit Triofox Antivirus to Gain SYSTEM Privileges: CVE-2025-12480 Explained

Listen to this Post

Featured Image

🎯 Introduction

In one of the most alarming cybersecurity incidents of the year, hackers have weaponized both a critical software flaw and the built-in antivirus system of Gladinet’s Triofox platform to gain complete control of servers. The exploit, identified as CVE-2025-12480, bypasses authentication and grants attackers SYSTEM-level privileges, effectively giving them the keys to the digital kingdom. Security experts from Google Threat Intelligence Group (GTIG) and Mandiant have unraveled a sophisticated attack chain that blends stealth, technical precision, and clever abuse of legitimate security features.

🚨 Summary: The Anatomy of the Triofox Breach

The cyberattack centers on CVE-2025-12480, a serious access control vulnerability discovered in Gladinet’s Triofox file-sharing and remote-access platform. The flaw allowed attackers to bypass authentication and reach the platform’s sensitive setup pages, leading to complete administrative control.

Researchers from Google’s GTIG first observed the malicious activity on August 24, after a threat actor group, tracked as UNC6485, exploited Triofox version 16.4.10317.56372—a version released on April 3. The attackers leveraged a logical flaw where admin access was mistakenly granted when the application’s request URL host matched “localhost.” This condition could be spoofed using the HTTP Host header, tricking the system into granting full privileges.

Mandiant explained that if the TrustedHostIp parameter was not set in the web.config file, the “localhost” check became the only line of defense, leaving systems completely exposed. The vulnerability has since been patched in version 16.7.10368.56560, released on July 26, but older installations remain vulnerable.

Once the attackers breached the Triofox setup, they abused the antivirus configuration to escalate privileges. By crafting a malicious HTTP GET request with “localhost” in the HTTP Referer, they gained unauthorized access to AdminDatabase.aspx, a page normally used for initial setup. Through this page, they created a new administrator account named “Cluster Admin”, uploaded a malicious script, and cleverly set its path as the antivirus scanner location.

This maneuver was critical because the antivirus scanner runs under the SYSTEM account, the highest privilege level in Windows environments. As a result, their malicious code executed with full system rights.

The injected script launched a PowerShell downloader, which fetched a secondary payload—Zoho UEMS installer—from an external domain. This in turn deployed Zoho Assist and AnyDesk, two legitimate remote access tools often repurposed by attackers for stealthy control.

The group didn’t stop there. They also deployed Plink and PuTTY, tools commonly used to establish SSH tunnels, allowing remote traffic to flow through the compromised machine’s RDP port (3389). This enabled lateral movement inside the network and persistent remote access.

While the core vulnerability was addressed in July’s patch, Mandiant recommends updating to Triofox version 16.10.10408.56683 (released October 14), which includes additional security hardening. Administrators are also urged to audit all admin accounts, verify antivirus configurations, and ensure that unauthorized scripts are not being executed through trusted processes.

The GTIG report includes a comprehensive list of Indicators of Compromise (IoCs), published both in their security advisory and on VirusTotal, to help defenders detect and respond to ongoing exploitation attempts.

This breach follows closely on the heels of another vulnerability, CVE-2025-11371, affecting both CentreStack and Triofox, which allowed attackers to access system files without authentication. Discovered by Huntress Labs, that flaw was exploited in multiple intrusions before being fixed in the same October release.

In short, Triofox’s series of vulnerabilities have exposed a recurring issue: trusted components being misused as attack surfaces, a lesson that modern system architects can’t afford to ignore.

🧩 What Undercode Say:

This incident is more than a one-off exploit—it’s a case study in trust abuse and architectural fragility. The attackers didn’t rely on zero-day wizardry alone; they used logic flaws and legitimate features to build a chain of compromise that was elegant in its simplicity.

The key vulnerability, CVE-2025-12480, highlights a fundamental issue in access control validation. By trusting the “localhost” value in the request header, the application made a dangerous assumption: that all internal requests are safe. In the modern web ecosystem, where proxy servers, load balancers, and remote agents are common, this assumption is outdated and perilous.

The second phase—abusing the antivirus configuration—demonstrates an advanced level of understanding of system operations. Attackers know that many enterprise software platforms run their antivirus modules with elevated privileges, a perfect target for privilege escalation.

UNC6485’s use of Zoho UEMS, AnyDesk, and PuTTY tools wasn’t random. It reflects a shift toward “living-off-the-land” techniques, where threat actors exploit trusted utilities to minimize detection. Instead of deploying obvious malware, they piggyback on legitimate software, blending into normal IT activity and bypassing most endpoint security solutions.

This tactic also complicates forensic response. Once remote tools like Zoho Assist or AnyDesk are installed, their network signatures mimic those of standard remote administration sessions. Unless the defenders are monitoring behavioral anomalies, the compromise could persist undetected for months.

Another interesting aspect is the timeline of patching. Although Gladinet acted relatively quickly to issue fixes, attackers were already exploiting older versions months after release. This underscores a persistent industry problem—slow patch adoption. Even when vendors respond responsibly, real-world defenses lag behind due to operational constraints, testing delays, or simple neglect.

In the broader context, this incident underscores why supply-chain and infrastructure software should adopt stronger zero-trust principles. Instead of relying on hostnames or single-parameter checks, systems should enforce multi-factor access control, cryptographic authentication, and rigorous validation layers.

The inclusion of “localhost” as a trusted gatekeeper might have seemed harmless in early development, but in production-grade environments exposed to the internet, it becomes a catastrophic miscalculation.

Gladinet’s case also illustrates the evolution of cyberattacks toward dual-use exploitation—where legitimate software components such as antivirus engines, remote tools, and SSH clients are not just bypassed, but actively turned against the system they were meant to protect.

For defenders, the lesson is clear: trust nothing by default. Audit all configurations, especially those involving elevated privileges or automated workflows. If a system has a “default setting” that assumes safety, it is already vulnerable.

The Triofox breach, like many others before it, is not simply about patching CVEs. It’s about rethinking trust boundaries, re-examining what “internal” really means in an era of distributed applications, and ensuring that convenience never outweighs security discipline.

🔍 Fact Checker Results

✅ CVE-2025-12480 confirmed and patched in Triofox v16.7.10368.56560.

✅ GTIG and Mandiant independently verified the attack chain.

✅ Exploit involved abuse of antivirus scanner with SYSTEM privileges.

📊 Prediction

🔮 In the coming months, similar header-spoofing vulnerabilities will emerge across enterprise software built with outdated trust assumptions.
🛡️ Expect an increase in “feature-based attacks”—where security tools themselves become the weapon.
🚀 Vendors will likely pivot toward zero-trust validation models, minimizing implicit trust in internal hostnames and local process privileges.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon