CVE-2025-12480
published 2025-11-10CVE-2025-12480: Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is…
PriorityP195critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-12-03
Exploited in the wild
EPSS
90.35%
99.8th percentile
Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gladinet | triofox | < 16.7.10368.56560 | 16.7.10368.56560 |
| triofox | triofox | < 16.7.10368.56560 | 16.7.10368.56560 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Gladinet Triofox Authentication Bypass via Initial Setup (CVE-2025-12480)"; flow:established,to_server; http.uri; content:"/management/admin"; fast_pattern; startswith; nocase; pcre:"/^(?:[dD]atabase|[aA]ccount)\x2easpx/R"; http.host; content:"localhost"; reference:url,cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480/; reference:cve,2025-12480; classtype:web-application-attack; sid:2065714; rev:1; metadata:affected_product Gladinet_Triofox, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_10, cve CVE_2025_12480, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit is triggered by sending an HTTP GET request to /management/admindatabase.aspx with 'localhost' in the HTTP Host (or Referer) header from an external source — this is the authentication bypass mechanism for CVE-2025-12480. ↗
- →Hunt for creation of a new administrator account named 'Cluster Admin' in Triofox — this is the persistence account created by UNC6485 post-exploitation. ↗
- →Audit the Triofox antivirus scanner path configuration — if it points to an unauthorized script or binary, it will execute under SYSTEM context and indicates compromise. ↗
- →Detect post-exploitation tooling: presence of Zoho UEMS installer, Zoho Assist, AnyDesk, Plink, and PuTTY on Triofox servers is a strong indicator of UNC6485 activity. ↗
- →The Nuclei template matcher checks for 'Triofox Enterprise', 'Manage Database', and 'Configure Database' in the HTTP 200 response body of /management/admindatabase.aspx to confirm vulnerable exposure. ↗
- →A malicious batch script executed a PowerShell downloader to fetch a payload from an external address — monitor for PowerShell spawned from the Triofox parent process (SYSTEM context). ↗
- ·Default installations without the optional TrustedHostIp parameter set in web.config are fully exposed — the 'localhost' Host header check becomes the sole authentication gatekeeper. ↗
- ·The root cause is an access control logic gap where admin access is granted when the request URL host equals 'localhost', which attackers spoof via the HTTP Host header. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Gladinet Triofox Improper Access Control Vulnerability
cisa·2025-11-12·CVSS 9.1
CVE-2025-12480 [CRITICAL] CWE-284 Gladinet Triofox Improper Access Control Vulnerability
Vulnerability: Gladinet Triofox Improper Access Control Vulnerability
Affected: Gladinet Triofox
Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://access.triofox.com/releases_history ; https://nvd.nist.gov/vuln/detail/CVE-2025-12480
Remediation Due Date: 2025-12-03
GHSA
GHSA-26hx-622f-3855: Triofox versions prior to 16
ghsa_unreviewed·2025-11-10
CVE-2025-12480 [CRITICAL] CWE-284 GHSA-26hx-622f-3855: Triofox versions prior to 16
Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete.
VulnCheck
Gladinet Triofox Improper Access Control Vulnerability
vulncheck·2025·CVSS 9.1
CVE-2025-12480 [CRITICAL] CWE-284 Gladinet Triofox Improper Access Control Vulnerability
Gladinet Triofox Improper Access Control Vulnerability
Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete.
Affected: Gladinet Triofox
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://research.checkpoint.com/2025/17th-november-threat-intelligence-report/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-11-26&host_type=src&vul
Suricata
ET WEB_SPECIFIC_APPS Gladinet Triofox Authentication Bypass via Initial Setup (CVE-2025-12480)
suricata·2025-11-10·CVSS 9.1
CVE-2025-12480 [CRITICAL] ET WEB_SPECIFIC_APPS Gladinet Triofox Authentication Bypass via Initial Setup (CVE-2025-12480)
ET WEB_SPECIFIC_APPS Gladinet Triofox Authentication Bypass via Initial Setup (CVE-2025-12480)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Gladinet Triofox Authentication Bypass via Initial Setup (CVE-2025-12480)"; flow:established,to_server; http.uri; content:"/management/admin"; fast_pattern; startswith; nocase; pcre:"/^(?:[dD]atabase|[aA]ccount)\x2easpx/R"; http.host; content:"localhost"; reference:url,cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480/; reference:cve,2025-12480; classtype:web-application-attack; sid:2065714; rev:1; metadata:affected_product Gladinet_Triofox, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_10, cve CVE_2025_12480, deployment Perimeter, deployment Internal, deployment SSLDecrypt,
Nuclei
Triofox - Improper Access Control
nuclei·CVSS 9.1
CVE-2025-12480 [CRITICAL] Triofox - Improper Access Control
Triofox - Improper Access Control
The Gladinet Triofox solution before 12.91.1126.65588 and CentreStack before 12.10.595.65696 allow unauthenticated access to the /management/admindatabase.aspx endpoint, exposing sensitive database management functionality to anyone with network access. An unauthenticated attacker can remotely access, view, and potentially interact with the database management interface, risking data disclosure or system compromise.
Template:
id: CVE-2025-12480
info:
name: Triofox - Improper Access Control
author: johnk3r,gti
severity: critical
description: |
The Gladinet Triofox solution before 12.91.1126.65588 and CentreStack before 12.10.595.65696 allow unauthenticated access to the /management/admindatabase.aspx endpoint, exposing sensitive database management func
Checkpoint
17th November – Threat Intelligence Report
blogs_checkpoint·2025-11-17·CVSS 9.8
CVE-2025-61882 [CRITICAL] 17th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 17th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 17th November, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Cl0p’s Oracle E-Business Suite (CVE-2025-61882) zero-day campaign continues to expand. There are new confirmed breaches at The Washington Post, Logitech, Allianz UK, and GlobalLogic, as well as a newly listed but unconfirmed breach involving the British National Health Service (NHS). The group has leaked data sets rangi
Bleepingcomputer
Hackers abuse Triofox antivirus feature to deploy remote access tools
blogs_bleepingcomputer·2025-11-11·CVSS 9.1
CVE-2025-12480 [CRITICAL] Hackers abuse Triofox antivirus feature to deploy remote access tools
## Hackers abuse Triofox antivirus feature to deploy remote access tools
## Bill Toulas
Hackers exploited a critical vulnerability and the built-in antivirus feature in Gladinet's Triofox file-sharing and remote-access platform to achieve remote code execution with SYSTEM privileges.
The security issue leveraged in the attack is CVE-2025-12480 and can be used to bypass authentication and obtain access to the application's setup pages.
Security researchers at Google Threat Intelligence Group (GTIG) discovered the malicious activity on August 24, after a threat cluster tracked internally as UNC6485 targeted a Triofox server running version 16.4.10317.56372, released on April 3.
The root cause for CVE-2025-12480 is an access control logic gap where admin access is granted when the applic
Recorded Future
November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
blogs_recorded_future·CVSS 5.4
CVE-2025-64446 [MEDIUM] November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
# November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
November 2025 saw a significant 69% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 10 vulnerabilities requiring immediate attention, down from 32 in October.
What security teams need to know:
- Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation
- LANDFALL spyware campaign: Threat actors weaponized Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks
- Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available
- OS Command Injection and Out-of-bounds Write were tied as the most common weakness types
Bottom line: Th
Threat Intel
UNC6485
threat_intel·CVSS 9.1
CVE-2025-12480 [CRITICAL] UNC6485
# Threat Actor: UNC6485
## Description
UNC6485 is a cyber-espionage group exploiting CVE-2025-12480 in Gladinet’s Triofox file-sharing platform to gain initial network access and establish long-term persistence. They create unauthorized administrative accounts and deploy RATs, utilizing legitimate tools like Zoho Assist and AnyDesk to evade detection. Their TTPs indicate a sophisticated understanding of the platform, allowing them to blend malicious activities with legitimate administrative actions.
Greynoiseio
NoiseLetter November 2025
blogs_greynoiseio
NoiseLetter November 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://access.triofox.com/releases_history/https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0008.mdhttps://www.triofox.com/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-12480
2025-11-10
Published
2025-11-12
Added to CISA KEV
Exploited in the wild