Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC6485 Triofox CVE-2025-12480 exploitation campaign

Campaign
First reported
Last updated
Happening score
H score 54
2 unique sources, 2 articles

Summary

Hide ▲

The UNC6485 campaign is actively exploiting CVE-2025-12480 in Gladinet Triofox, turning a patched flaw into unauthorized access and post-exploitation footholds. The activity matters because attackers can bypass authentication, create admin access, and deploy remote tools on affected hosts. Mandiant observed the operation as far back as August 24, 2025, after Gladinet had already shipped a fix in version 16.7.10368.56560. The operators then used Zoho Assist, AnyDesk, and encrypted SSH tunneling to expand control and support RDP access.

Related Happenings

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

Marimo CVE-2026-39987 exploitation wave

Exploitation Wave
First: 12.04.2026 17:20 Last: 12.04.2026 17:20 Sources 1

About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...

Open Happening

Quest KACE SMA authentication bypass (CVE-2025-32975)

Vulnerability
First: 23.03.2026 08:15 Last: 23.03.2026 08:15 Sources 1

About this happening: **Quest KACE SMA** systems exposed to the internet were found at risk from **CVE-2025-32975**, an **authentication bypass** flaw that can enable administrative takeover and remote...

Open Happening

UniFi Network Application path traversal flaw (CVE-2026-22557)

Vulnerability
First: 19.03.2026 15:00 Last: 19.03.2026 15:00 Sources 1

About this happening: **CVE-2026-22557** in the **UniFi Network Application** is a **path traversal** flaw affecting **version 10.1.85 and earlier** that can expose files and enable **possible account...

Open Happening

BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave

Exploitation Wave
First: 12.02.2026 23:34 Last: 12.02.2026 23:34 Sources 1

About this happening: **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...

Open Happening

Timeline

  1. 10.11.2025 22:49 2 articles · 6mo ago

    UNC6485 exploits Triofox CVE-2025-12480

    Exploitation Observed

    UNC6485 weaponized CVE-2025-12480 in Gladinet Triofox as early as August 24, 2025, bypassing authentication to reach configuration pages, create a new native admin account named Cluster Admin, and use the built-in antivirus feature to execute a malicious batch script that deployed Zoho Unified Endpoint Management System (UEMS), Zoho Assist, AnyDesk, Plink, and PuTTY for follow-on access and tunneling.

    Show sources
    Open in new tab
  2. 10.11.2025 22:49 1 articles · 6mo ago

    Mandiant discloses Triofox CVE-2025-12480 exploitation

    Initial Disclosure

    Google's Mandiant Threat Defense disclosed n-day exploitation of the patched Triofox flaw CVE-2025-12480 and characterized the vulnerability as a critical authentication bypass that enabled arbitrary payload execution. The disclosure also advised Triofox operators to update to the latest version, audit admin accounts, and verify that the antivirus engine cannot be configured to execute unauthorized scripts or binaries.

    Show sources
    Open in new tab