A critical vulnerability in the Triofox file-sharing platform is being actively exploited by a threat actor to gain full system control. Tracked as CVE-2025-12480, this flaw allows unauthenticated attackers to access configuration pages and create new administrator accounts. Google's Mandiant team observed a group known as UNC6485 exploiting this weakness to establish a foothold nearly a month after a patch was available.
After creating an admin account, the attackers leveraged a built-in antivirus configuration feature to achieve code execution. They uploaded a malicious batch script and pointed the antivirus engine's path to this file, causing it to run with SYSTEM-level privileges. This script then downloaded and installed Zoho's Unified Endpoint Management System, which was used to deploy remote access tools like Zoho Assist and AnyDesk.
The attackers used this access for reconnaissance, attempted to change user passwords, and added accounts to privileged groups like "Domain Admins." They also employed tools like Plink to create encrypted SSH tunnels for command-and-control communication, aiming to enable inbound RDP traffic. This is the third Triofox flaw to be exploited this year, underscoring the need for users to apply the latest patches, audit administrative accounts, and verify that the antivirus feature is not configured to run unauthorized files.
Read more...