PT-2025-46160 · Triofox · Triofox

Published

2025-11-10

·

Updated

2025-12-19

·

CVE-2025-12480

CVSS v2.0
9.4
VectorAV:N/AC:L/Au:N/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions Triofox versions prior to 16.7.10368.56560 Triofox versions prior to 16.10.10408.56683 Triofox versions 16.4.10317.56372 and earlier
Description Triofox is vulnerable to an Improper Access Control flaw that allows unauthenticated access to initial setup pages, even after setup is complete. This allows attackers to bypass authentication, create administrative accounts, and ultimately achieve remote code execution (RCE) with SYSTEM-level privileges. The vulnerability is exploited by manipulating the HTTP Host header to gain access to administrative functions. Attackers have been observed chaining this vulnerability with the abuse of Triofox’s built-in antivirus feature to execute malicious payloads, such as
centre report.bat
, and deploy remote access tools like Zoho Assist, AnyDesk, Plink, and PuTTY. The threat cluster UNC6485 has been actively exploiting this vulnerability since August 2025. The exploitation involves creating an admin account and configuring the antivirus path to execute arbitrary code. This allows for the download and execution of additional payloads, and the gathering of system information.
Recommendations Triofox versions prior to 16.7.10368.56560: Upgrade to version 16.7.10368.56560 or later. Triofox versions prior to 16.10.10408.56683: Upgrade to version 16.10.10408.56683 or later. Triofox versions 16.4.10317.56372 and earlier: Upgrade to a newer version. Audit existing admin accounts. Verify that the antivirus feature is not configured to execute unauthorized scripts. Monitor outbound SSH traffic for suspicious activity. Implement hunting queries to detect artifacts associated with this attack methodology.

Exploit

Fix

RCE

Improper Access Control

Weakness Enumeration

Related Identifiers

BDU:2025-14010
CVE-2025-12480
TRIOFOXCVE2025_12480

Affected Products

Triofox