CVE-2025-12480: 
Gladinet Triofox vulnerability analysis and mitigation

CVE-2025-12480 is a critical authentication bypass vulnerability (CVSS score: 9.1) affecting Gladinet's Triofox file-sharing and remote access platform versions prior to 16.7.10368.56560. The vulnerability was discovered in August 2025 and allows unauthenticated attackers to bypass authentication and access the application's configuration pages. The flaw was actively exploited by a threat actor tracked as UNC6485 starting from August 24, 2025, nearly a month after Gladinet released patches (Hacker News, Google Cloud).

The vulnerability stems from an improper access control implementation in the Triofox web interface. The flaw allows attackers to bypass authentication by conducting an HTTP Host header attack, where setting the Host value to 'localhost' grants access to the AdminDatabase.aspx configuration page. The root cause was identified in the CanRunCriticalPage() function within the GladPageUILib.GladBasePage class, which failed to properly validate request origins and relied solely on the Request.Url.Host value (Google Cloud).

The vulnerability enables attackers to gain unauthorized administrative access to Triofox instances, create new administrative accounts, and achieve SYSTEM-level code execution through the platform's built-in antivirus feature. This allows attackers to deploy remote access tools, conduct reconnaissance of internal networks, and potentially escalate privileges to domain administrator level (Help Net Security, Google Cloud).

Organizations are strongly advised to upgrade to Triofox version 16.7.10368.56560 or later, which patches the vulnerability. Additional recommended mitigations include auditing administrative accounts, verifying that Triofox's antivirus engine is not configured to execute unauthorized scripts or binaries, and monitoring for anomalous outbound SSH traffic (Google Cloud, Help Net Security).