About:
CVE-2025-12480 is a critical improper access control vulnerability in Gladinet Triofox that allows unauthenticated attackers to access setup pages, create admin accounts, and achieve remote code execution on vulnerable servers.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Gladinet Triofox Improper Access Control Leading to Unauthenticated Remote Access and Code Execution
CVSS Score: 9.1 (Critical)
Identifier: CVE-2025-12480
Exploit or Proof of Concept (PoC):
CVE-2025-12480 is confirmed to be exploited in the wild.
Mandiant/Google Threat Intelligence reports active exploitation by threat group UNC6485, where attackers abuse the improper access control flaw to access setup/configuration pages without authentication and create administrative accounts.
Update: Triofox versions prior to 16.7.10368.56560 are vulnerable.
Description:
CVE-2025-12480 is an Improper Access Control vulnerability in Gladinet Triofox (and related CentreStack builds) that allows unauthenticated users to access initial configuration pages even after deployment is complete.
By manipulating Host or Referer headers (such as using "localhost"), attackers can bypass authentication checks and run initial setup flows.
This allows attackers to create new administrative accounts. Combined with the antivirus integration feature, they can direct the AV scan command to execute attacker-controlled scripts or binaries with SYSTEM-level privileges.
Mitigation Recommendation:
Upgrade Triofox to version 16.7.10368.56560 or later.
Identify all internet-facing Triofox or CentreStack systems.
Audit administrative accounts for unauthorized or recently created users.
Search for installation or execution of remote access tools such as Zoho Assist, AnyDesk, or Plink.
Disable public access temporarily.
Enforce MFA and strong authentication for all administrative access.