CVE-2025-12480

Name of the Vulnerable Software and Affected Versions Triofox versions prior to 16.7.10368.56560

Description Triofox is vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete. This vulnerability, tracked as CVE-2025-12480, is actively exploited by the UNC6485 threat cluster. Attackers can bypass authentication by manipulating the HTTP Host header, gaining access to administrative functions and potentially achieving SYSTEM-level code execution. The exploitation involves creating an administrative account and leveraging the built-in antivirus feature to execute malicious payloads, such as centre report.bat, which downloads and executes additional tools like Zoho Assist and AnyDesk. The /AdminAccount.aspx page is central to the exploitation process. The vulnerability has been observed in the wild since August 24, 2025.

Recommendations Upgrade Triofox to version 16.7.10368.56560 or later. Audit existing admin accounts. Verify that the antivirus feature is not configured to execute unauthorized scripts.