No Place Like Localhost: Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480

    Tuesday, November 11, 2025 In: Threat Research Print

    Date: 11/11/2025

    Severity: Medium

    Summary

    A vulnerability in Gladinet’s Triofox platform, tracked as CVE-2025-12480, allowed attackers to bypass authentication and access configuration pages without credentials. The flaw enabled arbitrary file upload and code execution through abuse of the platform’s built-in antivirus feature, and was exploited by the threat actor UNC6485. It affected Triofox version 16.4.10317.56372 and was patched in version 16.7.10368.56560. The issue has been resolved in newer releases of Triofox.

    Indicators of Compromise (IOC) List

    IP Address

    85.239.63.37

    65.109.204.197

    84.200.80.252

    216.107.136.46

    Hash

    43c455274d41e58132be7f66139566a941190ceba46082eb2ad7a6a261bfd63f

    50479953865b30775056441b10fdcb984126ba4f98af4f64756902a807b453e7

    16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc77b25a90837f28ad

    ac7f226bdf1c6750afa6a03da2b483eee2ef02cd9c2d6af71ea7c6a9a4eace2f

    Filenames

    C:\Windows\appcompat\SAgentInstaller_16.7.10368.56560.exe

    C:\Windows\temp\sihosts.exe

    C:\Windows\temp\silcon.exe

    C:\Windows\temp\file.exe

    C:\triofox\centre_report.bat

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("84.200.80.252","65.109.204.197","216.107.136.46","85.239.63.37") or srcipaddress IN ("84.200.80.252","65.109.204.197","216.107.136.46","85.239.63.37")

    Detection Query 2 :

    sha256hash IN ("16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc77b25a90837f28ad","43c455274d41e58132be7f66139566a941190ceba46082eb2ad7a6a261bfd63f","ac7f226bdf1c6750afa6a03da2b483eee2ef02cd9c2d6af71ea7c6a9a4eace2f","50479953865b30775056441b10fdcb984126ba4f98af4f64756902a807b453e7")

    Detection Query 3 :

    (resourcename = "Windows Security" AND eventtype = "4663") AND filename IN ("C:\Windows\appcompat\SAgentInstaller_16.7.10368.56560.exe","C:\Windows\temp\sihosts.exe","C:\Windows\temp\silcon.exe","C:\Windows\temp\file.exe","C:\triofox\centre_report.bat")

    Detection Query 4 :

    technologygroup = "EDR" AND filename IN ("C:\Windows\appcompat\SAgentInstaller_16.7.10368.56560.exe","C:\Windows\temp\sihosts.exe","C:\Windows\temp\silcon.exe","C:\Windows\temp\file.exe","C:\triofox\centre_report.bat")

    Reference:

    https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480/


    Tags

    VulnerabilityThreat ActorCVE-2025GladinetTriofoxUNC6485Exploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.