Mandiant has issued a critical warning regarding the active exploitation of CVE-2025-12480, a severe improper access control vulnerability within Gladinet’s Triofox file-sharing and remote access platform. This flaw allows attackers to bypass authentication and achieve remote code execution, posing a significant threat to organizations utilizing the software.
The vulnerability, which carries a CVSS score of 9.1 (Critical), enables unauthorized access to initial configuration pages even after the platform has been set up. Threat actors, identified by Google Threat Intelligence Group (GTIG) as UNC6485, began exploiting this weakness as early as August 24, 2025, to upload and execute malicious payloads, thereby compromising affected systems.
UNC6485 leveraged the unauthenticated access to the Triofox configuration pages to create a new native administrator account, dubbed “Cluster Admin.” Following this initial unauthorized access, the attackers exploited the newly acquired administrative privileges to upload and execute malicious files. According to Mandiant researchers Stallone D’Souza, Praveeth DSouza, and B. Raman, this was achieved by utilizing Triofox’s built-in antivirus feature as a vector for code execution.
The core of the issue lies in an Improper Access Control (CWE-284) vulnerability. Triofox versions prior to 16.7.10368.56560 are affected, with specific exploitation observed in version 16.4.10317.56372. Gladinet has since released a patch in version 16.7.10368.56560, which hardens the initial configuration pages, preventing access once Triofox has been fully deployed. Mandiant has confirmed the effectiveness of this fix in resolving CVE-2025-12480.
This incident marks the third actively exploited vulnerability in Triofox this year, following CVE-2025-30406 and CVE-2025-11371, highlighting an ongoing pattern of security challenges for the platform. Organizations are urged to apply the latest updates to mitigate potential risks and secure their file-sharing infrastructure against sophisticated threat actors like UNC6485, as detailed in Google’s blog post on the matter.