A threat actor exploited a critical vulnerability in Triofox to gain remote access and create a new administrator account, enabling malicious activities. Organizations are urged to update to version 16.7.10368.56560 or later and audit their accounts to prevent further exploitation. #CVE-2025-12480 #UNC6485
Keypoints
- The vulnerability in Triofox allowed attackers to access setup pages even after configuration.
- Google detected a threat actor exploiting the flaw to create an admin account via HTTP header attack.
- Attackers used this access to upload and execute malicious scripts through the built-in antivirus feature.
- The malicious payload included remote access tools like Zoho Assist and AnyDesk.
- Organizations should update to the latest Triofox version and review admin accounts for security.
Read More: https://www.securityweek.com/critical-triofox-vulnerability-exploited-in-the-wild/