Critical Triofox Zero-Day (CVE-2025-12480): Unauthenticated Admin Takeover Through Host Header Bypass

Key Findings

Researchers at Mandiant Threat Defense, part of Google Cloud Security Operations, have revealed a critical unauthenticated access vulnerability in Gladinet's Triofox file-sharing platform (CVE-2025-12480).
The vulnerability allowed attackers to bypass authentication, create administrative accounts, and achieve SYSTEM-level code execution through a chained attack path.
The exploitation campaign was first detected on August 24, 2025, when Google Threat Intelligence Group (GTIG) observed a threat cluster tracked as UNC6485 leveraging the Triofox flaw in combination with abuse of the product's built-in antivirus feature.
Gladinet has released a fix, and the vulnerability is resolved in newer versions of Triofox.

Triofox is a file-sharing platform developed by Gladinet, a cloud storage and collaboration software company.
The vulnerability (CVE-2025-12480) allowed unauthenticated attackers to bypass security controls and gain administrative access to the Triofox web interface.
Mandiant's Google Security Operations (SecOps) platform detected anomalous activity indicating potential exploitation of Triofox servers, leading to the investigation.

The root cause of CVE-2025-12480 was an insecure implementation of access control checks within the Triofox web interface.
Access to critical configuration pages could be granted by spoofing the HTTP Host header to "localhost", tricking the application into assuming the request was local.
This bypassed all authentication checks, effectively allowing unauthenticated attackers to run the setup process remotely.
Once inside, the attackers used their newly created admin account to exploit Triofox's antivirus configuration feature, achieving code execution as SYSTEM.
The attackers deployed a malicious batch script that downloaded and executed a second-stage payload masquerading as a legitimate software installer.
The payload was a Zoho Unified Endpoint Management System (UEMS) installer, which the attackers used to deploy Zoho Assist and AnyDesk remote access tools.
The attackers then used PuTTY and Plink to create an SSH tunnel that redirected RDP traffic through encrypted channels on port 433, enabling covert persistence and bypassing network perimeter controls.

The exploitation of CVE-2025-12480 allowed the threat actor to gain full control over the targeted Triofox servers, compromising the security of the file-sharing platform and the networks it protects.
Mandiant has confirmed that Gladinet has released a fix for the vulnerability, and it is resolved in newer versions of Triofox.
Organizations using Triofox are advised to update to the latest version to mitigate the risk of exploitation.

https://securityonline.info/critical-triofox-zero-day-cve-2025-12480-under-active-exploit-host-header-bypass-allows-unauthenticated-admin-takeover/
https://securityonline.info/critical-watchguard-firebox-flaw-cve-2025-59396-cvss-9-8-allows-unauthenticated-admin-ssh-takeover-via-default-credentials/