Google’s Mandiant Threat Defense has issued a warning regarding the active n-day exploitation of a critical vulnerability in Gladinet’s Triofox file-sharing and remote access platform. The flaw, identified as CVE-2025-12480, carries a high severity CVSS score of 9.1 and allows attackers to bypass authentication controls.

Successful exploitation enables unauthorized access to the software’s configuration pages. From there, an attacker can upload and execute arbitrary code, effectively gaining control over the affected system. This vulnerability poses a significant risk to organizations using unpatched versions of the Triofox software.

Threat Actor UNC6485 Behind Attacks

According to Mandiant’s investigation, a threat cluster designated as UNC6485 has been weaponizing this vulnerability since at least August 24, 2025. The attacks were observed nearly a month after Gladinet had already released a security update to address the issue. This highlights a critical gap where systems remained unpatched, leaving them exposed to opportunistic attackers actively scanning for vulnerable instances.

A Pattern of Exploitation

This incident marks the third security flaw in Triofox to be actively exploited by threat actors in 2025 alone, following the earlier exploitation of CVE-2025-30406 and CVE-2025-11371. Gladinet addressed CVE-2025-12480 in version 16.7.10368.56560, which secures the initial configuration pages to prevent access after the initial setup is complete. Administrators are strongly urged to apply the available patches immediately to mitigate the risk of compromise.

Source: https://thehackernews.com/2025/11/hackers-exploiting-triofox-flaw-to.html