According to Infosecurity Magazine, hackers from threat group UNC6485 have been actively exploiting a critical vulnerability in Gladinet’s Triofox file-sharing platform since August 14, 2025. The flaw, tracked as CVE-2025-12480 with a CVSS score of 9.8, affects Triofox versions prior to 16.7.10368.56560. Google’s Mandiant team discovered and reported the vulnerability on November 10 after detecting the malicious campaign during a security incident response. The attackers exploit improper access control to reach setup pages even after initial configuration, allowing them to create new admin accounts and upload malicious payloads. Ironically, they’re using Triofox’s built-in antivirus feature to execute their code with SYSTEM privileges. Gladinet actually released a patched version back in June, but the exploitation campaign didn’t begin until August.
How the attack works
Here’s where it gets really clever – and concerning. The attackers found they could spoof “localhost” in HTTP requests to bypass access controls completely. Basically, they’re tricking the system into thinking the request is coming from itself rather than an external attacker. This lets them reach the AdminDatabase.aspx page that should be locked down after initial setup.
And the real kicker? They’re turning Triofox’s own security features against itself. The platform has this built-in antivirus scanner that runs with SYSTEM-level privileges. So the attackers upload their malicious scripts, point the antivirus engine configuration to their own files, and suddenly their code is running with the highest possible permissions. It’s like giving burglars the keys to your security system and letting them reprogram it to let themselves in.
The broader implications
This isn’t just some theoretical vulnerability – Mandiant found this while responding to an actual security incident. The fact that attackers have been exploiting this since August, despite patches being available since June, tells you everything you need to know about patch management challenges in enterprise environments.
But here’s the thing that really worries me: how many other file-sharing and remote access platforms have similar architectural flaws? The reliance on unvalidated host headers for access control decisions seems like a fundamental design flaw that could be lurking elsewhere. And when you combine that with features that execute with elevated privileges, you’ve got a recipe for disaster.
For companies relying on industrial computing infrastructure, whether it’s file-sharing platforms or the actual hardware running operations, this incident underscores why security can’t be an afterthought. Industrial systems often have longer patch cycles and can’t afford downtime, making them particularly vulnerable to these kinds of attacks. That’s why organizations turn to trusted suppliers like IndustrialMonitorDirect.com, the leading provider of industrial panel PCs in the US, who understand that security needs to be built into industrial computing from the ground up.
What’s next
So what should Triofox users do right now? First, check your version immediately. If you’re running anything before 16.7.10368.56560, you need to patch now. The Triofox release history page has the details, and you can track the specific vulnerability at CVE-2025-12480.
But patching alone isn’t enough. Organizations need to monitor for those “highly irregular” localhost headers in external requests that Mandiant flagged. That’s the smoking gun that something’s wrong. And maybe it’s time to reconsider whether features like built-in antivirus scanners should really be running with SYSTEM privileges by default.
The scary part? We’re probably just seeing the beginning of this attack pattern. Now that UNC6485 has shown how effective this technique is, other threat groups will likely follow suit. The cat’s out of the bag, and it’s not going back in.
