CVE-2025-12480: 
Gladinet Triofox vulnerability analysis and mitigation

CVE-2025-12480 is an Improper Access Control vulnerability affecting Triofox versions prior to 16.7.10368.56560. The vulnerability allows unauthenticated attackers to access initial setup pages even after setup is complete. The flaw was discovered and disclosed in July 2025, with active exploitation observed as early as August 24, 2025. The vulnerability affects Gladinet's Triofox file-sharing and remote access platform, which is used by medium and large businesses for secure file sharing and VPN-less access (NVD, HelpNet Security).

The vulnerability stems from an improper access control mechanism in the CanRunCriticalPage() function within GladPageUILib.GladBasePage class. The flaw allows attackers to bypass authentication by conducting an HTTP Host header attack, specifically by setting the Host value to 'localhost'. This bypass grants access to the AdminDatabase.aspx page, enabling unauthorized access to configuration pages. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (Google Cloud Blog).

The vulnerability allows attackers to bypass authentication and access the application's configuration pages, enabling the creation of unauthorized administrator accounts. Once access is gained, attackers can upload and execute arbitrary payloads through the built-in anti-virus feature, which runs with SYSTEM privileges. This access can lead to full system compromise, allowing attackers to deploy remote access tools, conduct reconnaissance, and potentially escalate privileges within the network (Google Cloud Blog).

Organizations are advised to upgrade to Triofox version 16.7.10368.56560 or later, which patches this vulnerability. Additional recommended mitigations include auditing admin accounts, verifying that Triofox's Anti-virus Engine is not configured to execute unauthorized scripts or binaries, and monitoring for anomalous outbound SSH traffic. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by December 3, 2025 (CISA).