CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active Exploitation of Multiple Critical Vulnerabilities in Gladinet and TrioFox

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

Active exploitation of critical vulnerabilities in Gladinet's CentreStack and TrioFox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog on November 5, 2025, citing evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by November 25, 2025, to secure their networks. Additionally, a new critical vulnerability, CVE-2025-12480 (CVSS score: 9.8), has been discovered in Gladinet's Triofox file-sharing and remote access platform. This flaw allows attackers to bypass authentication and access configuration pages, resulting in the upload and execution of arbitrary payloads. The threat cluster tracked as UNC6485 has been exploiting this flaw since August 24, 2025. The attackers have used the built-in antivirus feature to execute malicious files and set up encrypted tunnels to command-and-control servers, leveraging remote access tools like Zoho Assist and AnyDesk for further exploitation. The vulnerability CVE-2025-12480 was discovered and reported by Mandiant on November 10. The flaw allows an attacker to gain access to initial setup pages even after setup is complete, enabling the upload and execution of arbitrary payloads. The exploitation campaign started on August 14, 2025. The attackers exploited an HTTP Host header vulnerability by spoofing localhost in requests, bypassing access controls to reach the normally restricted AdminDatabase.aspx setup page. The flaw stemmed from missing origin validation and over-reliance on the host header, allowing unauthenticated remote access to critical configuration pages. The attackers logged in using the newly created Admin account and uploaded malicious files to execute them using the built-in anti-virus feature.

Timeline

  1. 10.11.2025 22:49 2 articles · 1d ago

    UNC6485 exploits CVE-2025-12480 to deploy remote access tools

    The threat cluster tracked as UNC6485 has been exploiting the critical vulnerability CVE-2025-12480 in Gladinet's Triofox platform since August 24, 2025. The attackers have used the built-in antivirus feature to execute malicious files and set up encrypted tunnels to command-and-control servers. They have also leveraged remote access tools like Zoho Assist and AnyDesk for further exploitation, including reconnaissance and privilege escalation. The vulnerability CVE-2025-12480 was discovered and reported by Mandiant on November 10. The flaw allows an attacker to gain access to initial setup pages even after setup is complete, enabling the upload and execution of arbitrary payloads. The exploitation campaign started on August 14, 2025. The attackers exploited an HTTP Host header vulnerability by spoofing localhost in requests, bypassing access controls to reach the normally restricted AdminDatabase.aspx setup page. The flaw stemmed from missing origin validation and over-reliance on the host header, allowing unauthenticated remote access to critical configuration pages. The attackers logged in using the newly created Admin account and uploaded malicious files to execute them using the built-in anti-virus feature.

    Show sources
    Open in new tab
  2. 16.10.2025 18:11 3 articles · 26d ago

    Gladinet releases patch for CVE-2025-11371

    A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. Additionally, users are advised to update to the latest version of Triofox to address the newly discovered CVE-2025-12480 vulnerability, audit admin accounts, and verify that Triofox's antivirus engine is not configured to execute unauthorized scripts or binaries.

    Show sources
    Open in new tab
  3. 10.10.2025 12:34 6 articles · 1mo ago

    Active Exploitation of CVE-2025-11371 in Gladinet and TrioFox

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog on November 5, 2025, citing evidence of active exploitation. The flaw was detected by Huntress in September 2025 and has been actively exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by November 25, 2025, to secure their networks. Additionally, a new critical vulnerability, CVE-2025-12480 (CVSS score: 9.8), has been discovered in Gladinet's Triofox file-sharing and remote access platform. This flaw allows attackers to bypass authentication and access configuration pages, resulting in the upload and execution of arbitrary payloads. The threat cluster tracked as UNC6485 has been exploiting this flaw since August 24, 2025. The attackers have used the built-in antivirus feature to execute malicious files and set up encrypted tunnels to command-and-control servers, leveraging remote access tools like Zoho Assist and AnyDesk for further exploitation.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious VSX Extension SleepyDuck Targets Solidity Developers

A malicious extension named SleepyDuck was discovered in the Open VSX registry. It targets Solidity developers and includes a remote access trojan. The extension was initially published as benign but was updated to include malicious capabilities after reaching 14,000 downloads. The malware uses Ethereum contracts to update its command and control address, ensuring persistence even if the original server is taken down. It triggers when a new code editor window is opened or a .sol file is selected, gathering system information and exfiltrating it to the server. The extension has been downloaded more than 53,000 times. The malware activates on editor startup, when a Solidity file is opened, or when the user runs the Solidity compile command. It collects system data and sets up a command execution sandbox. The malware finds the fastest Ethereum RPC provider to read the smart contract with the C2 information and reads updated instructions directly from the blockchain. The extension was first published on October 31, 2025, and updated to include malicious code on November 1, 2025. It has been observed using sandbox evasion techniques and can connect to the fastest Ethereum RPC provider to maintain communication with its command server. Open VSX has announced security enhancements to make it safer for its users, including shortening token lifetimes, quickly revoking leaked credentials, automated scans, and sharing key info with VS Code about emerging threats.

Open in new tab

Active Exploitation of Critical Microsoft WSUS Flaw

A critical vulnerability in Microsoft Windows Server Update Service (WSUS), CVE-2025-59287, is being actively exploited in the wild. This flaw, with a CVSS score of 9.8, allows attackers to drop malicious payloads and execute arbitrary commands on infected hosts. The vulnerability affects WSUS versions 3.32.x and was discovered by Eye Security and Huntress. The Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. government agencies to patch the flaw, which was added to the Known Exploited Vulnerabilities catalog. Organizations using WSUS are advised to apply the out-of-band security updates provided by Microsoft to mitigate the risk of exploitation. The flaw was originally patched by Microsoft as part of its Patch Tuesday updates, but attackers have since weaponized it to deploy .NET executables and Base64-encoded PowerShell scripts. Shadowserver is tracking over 2,800 WSUS instances with default ports exposed online. The vulnerability is a deserialization of untrusted data flaw that allows unauthenticated attackers to achieve remote code execution with system privileges by sending malicious encrypted cookies to the GetCookie() endpoint. A compromised WSUS server could potentially be used to distribute malicious updates to the entire network of client computers, making it particularly dangerous for large enterprises. Huntress advised isolating network access to WSUS and blocking inbound traffic to TCP ports 8530 and 8531 as remediation steps. The out-of-band (OOB) security update KB5070881 for CVE-2025-59287 broke hotpatching on some Windows Server 2025 devices. Microsoft has released a new update, KB5070893, to address the issue without disrupting hotpatching. Administrators are advised to install this update to maintain hotpatching functionality.

Open in new tab

Mass Exploitation Campaign Targets Outdated WordPress Plugins

A widespread campaign is exploiting outdated WordPress plugins GutenKit and Hunk Companion, targeting critical vulnerabilities to achieve remote code execution (RCE). The campaign, which began on October 8, 2025, exploited three critical-severity flaws in the plugins, affecting over 48,000 installs. Attackers use malicious plugins hosted on GitHub to maintain persistence, steal data, and execute commands on compromised sites. Wordfence has blocked nearly 8.8 million exploitation attempts. The vulnerabilities were patched in October and December 2024, but many sites remain unpatched.

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution.

Open in new tab

Active Exploitation of Critical Motex Lanscope Endpoint Manager Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Motex Lanscope Endpoint Manager to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, CVE-2025-61932, allows attackers to execute arbitrary code on affected systems. It impacts on-premises versions of Lanscope Endpoint Manager, specifically the Client program and Detection Agent. The flaw has been actively exploited in the wild by the cyber espionage group Tick, which has been using it to deliver a backdoor called Gokcpdoor. Federal agencies are advised to apply patches by November 12, 2025. The vulnerability impacts versions 9.4.7.2 and earlier. It has been addressed in versions 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. The exact exploitation methods and threat actors were previously unknown, but an alert from the Japan Vulnerability Notes (JVN) portal and Japan's CERT Coordination Center indicated that an unnamed customer and domestic organizations received malicious packets targeting this vulnerability. The vulnerability has a CVSS v4 score of 9.8 and affects Lanscope Endpoint Manager, a unified endpoint management and security platform popular in Japan. Lanscope is deployed by one in every four listed companies and one in every three financial institutions in Japan. The flaw includes missing security checks, lack of barriers to prevent arbitrary code execution, and missing privilege checks. Motex has released a fix for the vulnerability, and it does not affect the cloud version of Lanscope. Around 50 to 160 on-premises Lanscope servers were exposed on the Internet at the time of the Sophos publication. The Bronze Butler group exploited the vulnerability far in advance of its public disclosure. The group used the Havoc command-and-control (C2) tool and a loader called OAED to inject payloads. The group used open-source and cloud applications for lateral movement and data exfiltration, including 7-Zip, remote desktop, and file.io. The group used LimeWire, a peer-to-peer (P2P) file-sharing platform, possibly for exfiltration. Japanese organizations face cyber threats shaped by regional geopolitics and industry profiles, with state-sponsored actors from China and North Korea targeting them for espionage and intellectual-property theft.

Open in new tab