• No Place Like Localhost: Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480 Mandiant Written by: Stallone D’Souza, Praveeth DSouza, Bill Glynn, Kevin O’Flynn, Yash Gupta Welcome to the Frontline Bulletin Series Straight from Mandiant Threat Defense, the “Frontline Bulletin” series brings you the latest on the threats we are seeing in the wild right now, equipping our community to understand and respond. • Introduction Mandiant Threat Defense has uncovered exploitation of an unauthenticated access vulnerability within Gladinet’s Triofox file-sharing and remote access platform. • This now-patched n-day vulnerability, assigned CVE-2025-12480, allowed an attacker to bypass authentication and access the application configuration pages, enabling the upload and execution of arbitrary payloads. • 24, 2025, a threat cluster tracked by Google Threat Intelligence Group (GTIG) as UNC6485 exploited the unauthenticated access vulnerability and chained it with the abuse of the built-in anti-virus feature to achieve code execution. • The activity discussed in this blog post leveraged a vulnerability in Triofox version 16.4.10317.56372, which was mitigated in release 16.7.10368.56560. • Gladinet engaged with Mandiant on our findings, and Mandiant has validated that this vulnerability is resolved in new versions of Triofox.
Article Summaries:
- Mandiant’s Threat Defense team identified an unauthenticated remote‑access flaw (CVE‑2025‑12480) in Gladinet’s Triofox file‑sharing platform. The vulnerability, present in version 16.4.10317.56372, lets attackers reach configuration pages without credentials, enabling arbitrary code upload and execution. In late August 2025, the threat cluster UNC6485 exploited the flaw and chained it with the built‑in anti‑virus feature to gain code execution. The issue was patched in Triofox 16.7.10368.56560, and Mandiant confirmed the fix. Detection was achieved through Google SecOps composite alerts that flagged suspicious HTTP traffic and remote‑access utilities.
Sources: