Google’s Mandiant uncovered threat actors exploiting a patched Triofox vulnerability (CVE-2025-12480) to gain unauthorized access, upload malicious scripts, and establish remote control via installed remote access tools. Immediate patching, account auditing, and monitoring are crucial to prevent further attacks. #CVE-2025-12480 #Triofox #UNC6485 #ZohoUEMS #RemoteAccessTools
Keypoints
- Threat actors exploited a Triofox vulnerability to bypass authentication and create new admin accounts.
- The flaw involved manipulating the Host header to access admin setup pages, relying on weak verification checks.
- Attackers uploaded malicious scripts through Triofox’s antivirus feature, executing PowerShell payloads.
- The malicious payload installed remote access tools like Zoho Assist and AnyDesk for persistent control.
- Security recommendations include updating to the latest Triofox version, auditing accounts, and monitoring for SSH tunnels and abnormal activity.