cbcvebase.
CVE-2025-12480
published 2025-11-10

CVE-2025-12480: Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is…

PriorityP195critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-12-03
Exploited in the wild
EPSS
90.35%
99.8th percentile
Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete.

Affected

2 ranges
VendorProductVersion rangeFixed in
gladinettriofox< 16.7.10368.5656016.7.10368.56560
triofoxtriofox< 16.7.10368.5656016.7.10368.56560

Detection & IOCsextracted from sources · hover to see the quote

path/management/admindatabase.aspx
commandGET /management/admindatabase.aspx HTTP/1.1 Host: localhost
othershodan: http.favicon.hash:-177043778
otherfofa: icon_hash="-177043778"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Gladinet Triofox Authentication Bypass via Initial Setup (CVE-2025-12480)"; flow:established,to_server; http.uri; content:"/management/admin"; fast_pattern; startswith; nocase; pcre:"/^(?:[dD]atabase|[aA]ccount)\x2easpx/R"; http.host; content:"localhost"; reference:url,cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480/; reference:cve,2025-12480; classtype:web-application-attack; sid:2065714; rev:1; metadata:affected_product Gladinet_Triofox, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_10, cve CVE_2025_12480, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit is triggered by sending an HTTP GET request to /management/admindatabase.aspx with 'localhost' in the HTTP Host (or Referer) header from an external source — this is the authentication bypass mechanism for CVE-2025-12480.
  • Hunt for creation of a new administrator account named 'Cluster Admin' in Triofox — this is the persistence account created by UNC6485 post-exploitation.
  • Audit the Triofox antivirus scanner path configuration — if it points to an unauthorized script or binary, it will execute under SYSTEM context and indicates compromise.
  • Detect post-exploitation tooling: presence of Zoho UEMS installer, Zoho Assist, AnyDesk, Plink, and PuTTY on Triofox servers is a strong indicator of UNC6485 activity.
  • The Nuclei template matcher checks for 'Triofox Enterprise', 'Manage Database', and 'Configure Database' in the HTTP 200 response body of /management/admindatabase.aspx to confirm vulnerable exposure.
  • A malicious batch script executed a PowerShell downloader to fetch a payload from an external address — monitor for PowerShell spawned from the Triofox parent process (SYSTEM context).
  • ·Default installations without the optional TrustedHostIp parameter set in web.config are fully exposed — the 'localhost' Host header check becomes the sole authentication gatekeeper.
  • ·The root cause is an access control logic gap where admin access is granted when the request URL host equals 'localhost', which attackers spoof via the HTTP Host header.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.