Researchers uncovered active exploitation of an unauthenticated access vulnerability (CVE-2025-12480) in Gladinet’s Triofox remote access platform by the threat cluster UNC6485. The flaw, present in versions before 16.7.10368.56560, allowed attackers to bypass authentication using a manipulated Host header, gaining access to configuration and setup pages. From there, the attackers created a new admin account and leveraged Triofox’s anti-virus configuration feature to execute arbitrary scripts under SYSTEM privileges. The initial foothold was obtained through a crafted HTTP request spoofing the localhost header, effectively bypassing access controls intended for trusted hosts.
Following compromise, UNC6485 deployed a multi-stage attack chain involving remote administration tools and lateral movement techniques. The attackers uploaded and executed a batch script through the anti-virus engine path, which downloaded a disguised Zoho UEMS installer from 84.200.80[.]252. This legitimate tool was abused to deploy Zoho Assist and AnyDesk, establishing persistent remote access. They then performed reconnaissance, privilege escalation, and defense evasion, including using renamed PuTTY (silcon.exe) and Plink (sihosts.exe) utilities to set up an SSH reverse tunnel over port 433, allowing inbound RDP connections. Mandiant confirmed that the issue is resolved in the latest Triofox release and recommended upgrading immediately.