Security researchers said an attacker group tracked as UNC6485 exploited a critical flaw in Gladinet’s Triofox file-sharing and remote-access platform to achieve remote code execution with SYSTEM privileges using the product’s built-in antivirus feature. The issue exploited is tracked as CVE-2025-12480, and activity was observed by the Google Threat Intelligence Group.
Investigators identified the root cause as an access control logic gap that grants administrator access when the application’s request URL host equals “localhost.” Attackers can spoof that value by manipulating the HTTP Host header to bypass authentication checks. Mandiant noted installations that do not configure an optional TrustedHostIp parameter in web.config are particularly exposed because the localhost check becomes the sole gatekeeper.
Mandiant’s investigation determined UNC6485 issued an HTTP GET request containing a localhost referer value to gain access to the AdminDatabase.aspx setup page. The intruders then created an administrative account named “Cluster Admin,” uploaded a malicious script and configured Triofox to use that path as the location for the antivirus scanner, a change that causes the configured file to run with the Triofox parent process privileges.
According to the researchers, the malicious batch file executed a PowerShell downloader to retrieve a Zoho UEMS installer, which the attackers used to deploy Zoho Assist and AnyDesk for remote access and lateral movement. The intruders also used Plink and PuTTY to establish an SSH tunnel and forward traffic to the system’s RDP port.
Triofox released a remediation for the vulnerability in version 16.7.10368.56560 and researchers recommended administrators apply the latest security update; vendors list the patch in version 16.10.10408.56683. Defenders were also urged to audit administrator accounts, verify that the antivirus configuration does not point to unauthorized scripts or binaries, and review indicators of compromise provided by the researchers, which are also available on VirusTotal.
The incident follows a separate report by Huntress last month that attackers were exploiting a different Gladinet vulnerability, a local file inclusion tracked as CVE-2025-11371, to access system files without authentication; that flaw was later fixed in the same updated release series.