A threat actor has exploited a critical vulnerability in Triofox to obtain remote access to a vulnerable server and then achieve code execution, Google warns.
Designed to ease remote work and data management, Gladinet’s Triofox is a secure file sharing and remote access solution that can be integrated with existing IT infrastructure.
Prior to version 16.7.10368.56560, Triofox was affected by a critical-severity improper access control vulnerability that allowed attackers to access initial setup pages even after the setup process was completed.
The issue, tracked as CVE-2025-12480 (CVSS score of 9.1), was resolved in late July by preventing access to the initial configuration pages after Triofox had been set up.
In late August, Google caught a threat actor tracked as UNC6485 exploiting the security defect against a vulnerable Triofox server in an HTTP Host header attack, to create a new administrative account.
The threat actor modified an HTTP GET request to the AdminDatabase.aspx page, which is automatically launched after Triofox is installed. From there, the attackers accessed the AdminAccount.aspx page, which redirects to the InitAccount.aspx page, where they created a new administrator account.
The attack was possible because ASP.NET would use the HTTP host header, which could be modified by the threat actor, to build Request.Url, because Triofox did not check if the request came from a localhost connection, and because no protection was present aside from the Host header check.
After creating the new admin account, the attackers logged in to the server and abused a built-in antivirus feature that allows users to provide an arbitrary path for the antivirus, to execute a malicious file with System privileges.
When publishing a new share in Triofox, the application displays the folder path on disk of any shared folder. The attackers uploaded an arbitrary file to a published share, and then configured the path of the antivirus to point to it.
The file, a malicious batch script, executed a PowerShell command to fetch and run a second-stage payload identified as a copy of the legitimate Zoho Unified Endpoint Management System (UEMS) software installer. The agent was used to execute the Zoho Assist and AnyDesk remote access tools.
UNC6485 used Zoho Assist to enumerate active SMB sessions and user information and was seen attempting to change the passwords for existing accounts, and to add these to the local and domain administrator groups.
Additionally, the threat actor deployed two utilities to set up an encrypted tunnel via SSH to their command-and-control (C&C) server, Google explains.
Organizations using Triofox are advised to update to version 16.7.10368.56560 or newer, to audit administrator accounts, and ensure that the Triofox antivirus engine is not allowed to execute unauthorized scripts or binaries.
Related: Runc Vulnerabilities Can Be Exploited to Escape Containers
Related: CISA Warns of CWP Vulnerability Exploited in the Wild
Related: Exploited ‘Post SMTP’ Plugin Flaw Exposes WordPress Sites to Takeover
Related: CISA Adds Exploited XWiki, VMware Flaws to KEV Catalog
