CVE-2025-12480 is a critical unauthenticated remote code execution vulnerability in Gladinet's Triofox file-sharing platform, specifically affecting version 16.4.10317.56372. The flaw allows attackers to bypass authentication and gain access to configuration pages by manipulating HTTP host headers. The exploit chain further abuses the platform's built-in anti-virus feature to execute arbitrary malicious scripts, enabling attackers to create administrative accounts and deploy remote access tools such as Zoho UEMS, Zoho Assist, and AnyDesk. The threat actor UNC6485 has been observed exploiting this vulnerability since August 24, 2025, conducting reconnaissance, privilege escalation, and establishing encrypted tunnels for command-and-control communications. This multi-stage attack leverages several MITRE ATT&CK techniques including T1190 (Exploit Public-Facing Application), T1133 (External Remote Services), T1574.001 (Hijack Execution Flow: DLL Side-Loading), and T1569.002 (System Services: Service Execution). The vulnerability was patched in Triofox version 16.7.10368.56560. Indicators of compromise include specific file hashes and IP addresses linked to the attacker infrastructure. The attack requires no authentication or user interaction, making it highly exploitable and dangerous for organizations relying on Triofox for secure file sharing and collaboration.

For European organizations, this vulnerability poses a significant risk to confidentiality, integrity, and availability of sensitive data shared via Triofox. Unauthorized administrative access allows attackers to manipulate configurations, deploy persistent remote access tools, and potentially move laterally within networks. The ability to execute arbitrary code without authentication can lead to data exfiltration, ransomware deployment, or disruption of business operations. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that use Triofox for file sharing are particularly vulnerable. The exploitation could undermine trust in file-sharing platforms and cause regulatory compliance issues under GDPR due to potential data breaches. The use of encrypted tunnels for command-and-control complicates detection and response, increasing the risk of prolonged undetected intrusions. The medium severity rating may underestimate the real-world impact given the ease of exploitation and the critical nature of the access gained.

European organizations should immediately verify their Triofox version and upgrade to version 16.7.10368.56560 or later to patch CVE-2025-12480. Network segmentation should be enforced to limit access to Triofox servers, and strict firewall rules should restrict inbound traffic to trusted sources. Implement robust monitoring for unusual HTTP host header values and suspicious anti-virus feature activity indicative of exploitation attempts. Deploy endpoint detection and response (EDR) solutions to detect the use of remote access tools like Zoho UEMS, Zoho Assist, and AnyDesk, especially if installed without authorization. Conduct regular audits of administrative accounts on Triofox to identify unauthorized creations. Employ multi-factor authentication (MFA) on all administrative interfaces where possible, even if the vulnerability bypasses authentication, to add defense in depth. Incident response plans should include procedures for isolating compromised systems and analyzing encrypted tunnels for command-and-control traffic. Finally, raise user awareness about the risks of unauthorized remote access tools and ensure timely application of security patches.