CVE-2025-12480 - Triofox Auth Bypass Enables SYSTEM-Level RCE

Triofox file-sharing platform (v16.4.10317.56372) has a critical authentication bypass (CVE-2025-12480, CVSS 9.1) that UNC6485 actively exploited starting August 24, 2025. The attack chain is elegant: attackers manipulate HTTP host headers to "localhost", abusing the CanRunCriticalPage() function that improperly trusts the host header without verifying request origin. This grants access to protected configuration pages that create a native admin account called "Cluster Admin" through the setup process. Once authenticated, attackers leverage Triofox's antivirus feature—which lets users specify arbitrary paths for antivirus executables—to run malicious code at SYSTEM level. UNC6485 deployed centre_report.bat scripts that downloaded Zoho UEMS installers from 84.200.80[.]252, establishing remote access via Zoho Assist and AnyDesk. They also used Plink and PuTTY to create encrypted SSH tunnels to C2 over port 433, enabling persistent inbound RDP access. The vulnerability combines improper host header validation with privileged antivirus configuration—a dangerous pairing in enterprise file-sharing infrastructure. Gladinet patched this in v16.7.10368.56560. Earlier in 2025, Triofox also suffered CVE-2025-30406 (RCE via cryptographic key management) and CVE-2025-11371 (ViewState forgery leading to deserialization attacks).