A critical vulnerability in the Triofox file-sharing platform is being actively exploited by threat actors to gain full system control. The attackers are using a clever technique: they are weaponizing the platform’s own built-in antivirus feature to download and execute remote access tools, effectively turning a security function into an attack vector.
The Authentication Bypass Vulnerability
The flaw, tracked as CVE-2025-12480 (CVSS score: 9.1), is an authentication bypass issue in Gladinet’s Triofox. It allows an unauthenticated attacker to access the platform’s initial configuration pages, which are supposed to be locked down after the initial setup.
According to Google’s Mandiant, a threat cluster known as UNC6485 has been weaponizing this flaw since August 24, 2025—nearly a month after a patch was made available in version 16.7.10368.56560. This is the third Triofox vulnerability to be exploited this year, highlighting the platform’s attractiveness to attackers.
The Attack Chain: From Bypass to SYSTEM Privileges
The attack follows a clear and dangerous sequence:
- Initial Access: The attacker exploits CVE-2025-12480 to reach the configuration pages.
- Admin Account Creation: They re-run the setup process to create a new, malicious native admin account named “Cluster Admin.”
- Antivirus Weaponization: After logging in with the new admin account, the attacker navigates to the antivirus settings. This feature allows an administrator to specify a custom path for the antivirus engine. The attackers point this path to a malicious batch script they have uploaded, named
centre_report.bat. - SYSTEM-Level Execution: Crucially, any file specified as the antivirus scanner runs with the highest SYSTEM account privileges, giving the malicious script complete control over the host.
Deployment of Remote Access Tools and Persistence
The malicious batch script (centre_report.bat) acts as a downloader. Its primary function is to fetch the installer for the Zoho Unified Endpoint Management System (UEMS) from a remote attacker-controlled server.
Once Zoho UEMS is installed, the attackers use it to deploy legitimate remote access programs like Zoho Assist and AnyDesk, providing them with persistent, hands-on-keyboard access to the compromised system.
With this access, the attackers performed reconnaissance, attempted to change passwords for existing accounts, and added them to privileged groups like “Domain Admins” for escalation. To further evade detection, they used tools like Plink and PuTTY to create encrypted SSH tunnels, aiming to route inbound RDP traffic stealthily.
