Critical Triofox bug exploited to run malicious payloads via AV configuration

Hackers exploited Triofox flaw CVE-2025-12480 to bypass auth and install remote access tools via the platform’s antivirus feature.

Google’s Mandiant researchers spotted threat actors exploiting a now-patched Triofox flaw, tracked as CVE-2025-12480 (CVSS score of 9.1) that allows them to bypass authentication to upload and run remote access tools via the platform’s antivirus feature.

Mandiant has been tracking the ongoing exploitation of the Triofox flaw CVE-2025-12480 to threat cluster UNC6485.

“As early as Aug. 24, 2025, a threat cluster tracked by Google Threat Intelligence Group (GTIG) as UNC6485 exploited the unauthenticated access vulnerability and chained it with the abuse of the built-in anti-virus feature to achieve code execution.” reads the report published by Mandiant.

Mandiant leveraged Google Security Operations to detect suspicious activity on a customer’s Triofox server involving PLINK-based RDP tunneling and file downloads to temp directories.

It’s the third Triofox bug abused this year, following CVE-2025-30406 and CVE-2025-11371. The update blocks access to configuration pages after setup, but attackers exploited unauthenticated access to create a new admin account, “Cluster Admin,” through the setup process, using it for further malicious activity across compromised systems.

Mandiant found a suspicious HTTP request showing an external source using a “localhost” host header, a circumstance suggesting an exploit. Testing showed that Triofox pages like AdminAccount.aspx and AdminDatabase.aspx should redirect to “Access Denied,” but changing the Host header to “localhost” bypassed these controls, granting access to the admin setup process and enabling creation of new admin accounts. Analysis revealed the vulnerable CanRunCriticalPage() function in GladPageUILib.dll, which grants access if the Host equals “localhost.” The flaw lets attackers fake the Host header to bypass checks, has no way to verify where requests really come from, and only relies on easily misconfigured settings for protection.

The attacker used the newly created admin account to upload and run a malicious batch via Triofox’s antivirus feature by pointing the AV path to their script, which executed with SYSTEM privileges. Uploading any file to a published share triggered the script. The batch ran a PowerShell downloader that fetched a disguised payload from http://84.200.80[.]252 (saved as C:\Windows\appcompat\SAgentInstaller_16.7.10368.56560.exe) and launched it silently. The payload installed Zoho UEMS, which the attacker abused to deploy Zoho Assist and AnyDesk for remote access. Attackers enumerated SMB sessions and user accounts using Zoho Assist, then tried password changes and privilege escalation (adding accounts to local admins and Domain Admins). For persistence and C2 tunneling they downloaded plink-like tools (sihosts.exe, silcon.exe) into C:\Windows\Temp and established an SSH reverse tunnel over port 433 to 216.107.136[.]46, forwarding remote RDP (127.0.0.1:3389) to the attacker-controlled host.

“While this vulnerability is patched in the Triofox version 16.7.10368.56560, Mandiant recommends upgrading to the latest release. In addition, Mandiant recommends auditing admin accounts, and verifying that Triofox’s Anti-virus Engine is not configured to execute unauthorized scripts or binaries.” concludes the report. “Security teams should also hunt for attacker tools using our hunting queries listed at the bottom of this post, and monitor for anomalous outbound SSH traffic.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Triofox)