PT-2025-46160 · Triofox · Triofox

Published

2025-11-10

·

Updated

2025-12-19

·

CVE-2025-12480

CVSS v3.1
9.4
VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Triofox versions prior to 16.7.10368.56560
Description Triofox is vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete. This vulnerability, designated CVE-2025-12480, allows attackers to bypass authentication and gain access to the application’s configuration pages. Attackers have been observed exploiting this flaw, including the UNC6485 threat cluster, to install remote access tools via the antivirus feature. The exploitation involves manipulating the HTTP Host header to gain unauthorized access and then leveraging the antivirus functionality to execute arbitrary code with SYSTEM-level privileges. Attackers have been observed deploying tools such as PLINK, Zoho Assist, and AnyDesk. The vulnerability was actively exploited as early as August 24, 2025, shortly after a patch was released in July 2025.
Recommendations Upgrade Triofox to version 16.7.10368.56560. Audit existing admin accounts. Verify that the antivirus feature is not configured to execute unauthorized scripts.

Exploit

Fix

RCE

Improper Access Control

Weakness Enumeration

Related Identifiers

BDU:2025-14010
CVE-2025-12480
TRIOFOXCVE2025_12480

Affected Products

Triofox