Gladinet Triofox actively exploited improper access control flaw (CVE-2025-12480)
Vulnerability
Summary
Hide ▲
Show ▼
Gladinet Triofox is affected by CVE-2025-12480, a critical improper access control flaw that let attackers reach restricted setup pages and turn the issue into code execution. The vulnerability affects Triofox versions prior to 16.7.10368.56560, and exploitation was observed beginning in August 2025. A patched version was already available, making the issue urgent for exposed deployments.
Related Happenings
Gladinet CentreStack and Triofox active exploitation wave
Exploitation Wave
First: 11.12.2025 07:56
Last: 11.12.2025 07:56
Sources 1
About this happening:
Active exploitation of **Gladinet CentreStack** and **Triofox** has affected **at least nine organizations**, creating risk of unauthorized access and follow-on **remote code exec...
Gladinet CentreStack and Triofox active exploitation wave
Exploitation WaveAbout this happening: Active exploitation of **Gladinet CentreStack** and **Triofox** has affected **at least nine organizations**, creating risk of unauthorized access and follow-on **remote code exec...
UNC6485 Triofox CVE-2025-12480 exploitation campaign
Campaign
First: 10.11.2025 22:49
Last: 10.11.2025 22:49
Sources 1
How related:
Security researchers at Google Threat Intelligence Group (GTIG) discovered the malicious activity on August 24, after a threat cluster tracked internally as UNC6485 targeted a Triofox server running version 16.4.10317.56372, released on April 3.
About this happening:
The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...
UNC6485 Triofox CVE-2025-12480 exploitation campaign
CampaignHow related: Security researchers at Google Threat Intelligence Group (GTIG) discovered the malicious activity on August 24, after a threat cluster tracked internally as UNC6485 targeted a Triofox server running version 16.4.10317.56372, released on April 3.
About this happening: The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...
CentOS Web Panel remote command execution flaw (CVE-2025-48703)
Vulnerability
First: 05.11.2025 20:26
Last: 05.11.2025 20:26
Sources 1
About this happening:
**CentOS Web Panel (CWP)** is affected by **CVE-2025-48703**, a **critical remote command execution** flaw that lets **unauthenticated attackers** with a valid username run arbitr...
CentOS Web Panel remote command execution flaw (CVE-2025-48703)
VulnerabilityAbout this happening: **CentOS Web Panel (CWP)** is affected by **CVE-2025-48703**, a **critical remote command execution** flaw that lets **unauthenticated attackers** with a valid username run arbitr...
Gladinet CentreStack and Triofox workaround for CVE-2025-11371
Advisory/Mitigation
First: 10.10.2025 22:08
Last: 10.10.2025 22:08
Sources 1
About this happening:
**CentreStack** and **Triofox** are affected by **CVE-2025-11371**, a **local file inclusion zero-day** that threat actors have **abused since late September** to read **Web.confi...
Gladinet CentreStack and Triofox workaround for CVE-2025-11371
Advisory/MitigationAbout this happening: **CentreStack** and **Triofox** are affected by **CVE-2025-11371**, a **local file inclusion zero-day** that threat actors have **abused since late September** to read **Web.confi...
Gladinet CentreStack and TrioFox actively exploited unauthenticated LFI remote code execution flaw (multiple vulnerabilities)
Vulnerability
First: 10.10.2025 12:34
Last: 10.10.2025 12:34
Sources 1
About this happening:
**Gladinet CentreStack** is now patched for **CVE-2025-11371**, an **unauthenticated local file inclusion** flaw that threat actors have used as a **zero-day** since **late Septem...
Gladinet CentreStack and TrioFox actively exploited unauthenticated LFI remote code execution flaw (multiple vulnerabilities)
VulnerabilityAbout this happening: **Gladinet CentreStack** is now patched for **CVE-2025-11371**, an **unauthenticated local file inclusion** flaw that threat actors have used as a **zero-day** since **late Septem...
Latest development: 05.11.2025 08:12
Huntress detected active exploitation attempts targeting CVE-2025-11371 in Gladinet CentreStack and Triofox, with unknown threat actors using Base64-encoded payloads to run reconnaissance commands such as ipconfig /all against exposed systems. CISA also added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog, and FCEB agencies were required to apply the necessary fixes by November 25, 2025.
Timeline
-
11.11.2025 14:30 2 articles · 6mo ago
UNC6485 exploitation of Triofox CVE-2025-12480 begins
Exploitation ObservedMandiant assessed that UNC6485's exploitation of Gladinet Triofox began on August 14, 2025, with attackers abusing CVE-2025-12480 in older Triofox versions to bypass access controls, reach restricted setup pages, create a native Cluster Admin account, and prepare code execution through the built-in anti-virus feature.
Show sources
- Hackers Exploit Critical Flaw in Gladinet's Triofox File Sharing Product — www.infosecurity-magazine.com — 11.11.2025 14:30
- Hackers abuse Triofox antivirus feature to deploy remote access tools — www.bleepingcomputer.com — 11.11.2025 22:01
-
10.11.2025 02:00 1 articles · 6mo ago
Mandiant discloses Triofox CVE-2025-12480
Initial DisclosureOn November 10, 2025, Mandiant reported CVE-2025-12480 as a critical improper access control flaw in Triofox versions prior to 16.7.10368.56560, described the spoofed localhost Host header path to AdminDatabase.aspx, and noted that Gladinet had already released Triofox 16.7.10368.56560 in June.
Show sources
- Hackers Exploit Critical Flaw in Gladinet's Triofox File Sharing Product — www.infosecurity-magazine.com — 11.11.2025 14:30