A critical security vulnerability in Gladinet Triofox, identified as CVE-2025-12480, has been exploited by hackers to install malware through its remote access tool features. Despite the flaw being fixed on 2025-07-26, the threat continued as attacks persisted, targeting users who had not updated their systems.
Details of the Exploit
The flaw, given a severity score of 9.1 out of 10, was likely introduced in April 2025. It allowed unauthorized access to Triofox's setup pages even after installation was complete. Security teams from Mandiant and Google's Threat Intelligence Group identified the improper access control as the main issue. The vulnerability was exploited by a group known as UNC6485.
- Triofox vulnerability CVE-2025-12480 identified
- Faulty access control enabled unauthorized access
- Attacks reported post July 2025 patch release
- UNC6485 involved in exploiting the flaw
Impact and Mitigation
A particular incident involved deploying malicious tools Zoho UEMS, Zoho Assist, and AnyDesk for remote access. The attackers utilized Plink and PuTTY for SSH tunneling, allowing lateral movement within the systems. Triofox released a patched version 16.7.10368.56560 on 2025-07-26, and a further updated version 16.10.10408.56683 was made available on 2025-10-14. Users should apply updates immediately to prevent exploitation.
Recommendations for Users
To ensure security, Triofox users are advised to update to the latest version immediately. The vulnerability underscored the importance of timely updates, as attackers took advantage of its presence weeks after the patch was issued. This case serves as a reminder to maintain diligent software management practices.
