CVE-2025-12480

Name of the Vulnerable Software and Affected Versions Triofox versions prior to 16.7.10368.56560

Description Triofox is vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete. This vulnerability, designated CVE-2025-12480, allows attackers to bypass authentication and gain access to the application’s configuration pages. Attackers have been observed exploiting this flaw, including the UNC6485 threat cluster, to install remote access tools via the antivirus feature. The exploitation involves manipulating the HTTP Host header to gain unauthorized access and then leveraging the antivirus functionality to execute arbitrary code with SYSTEM-level privileges. Attackers have been observed deploying tools such as PLINK, Zoho Assist, and AnyDesk. The vulnerability was actively exploited as early as August 24, 2025, shortly after a patch was released in July 2025.

Recommendations Upgrade Triofox to version 16.7.10368.56560. Audit existing admin accounts. Verify that the antivirus feature is not configured to execute unauthorized scripts.