Skip to main content

On This Page
← AI News
AI News cyber security software vulnerability

Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature

2 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature

Vulnerability Overview

  • CVE-2025-12480: A critical vulnerability in Gladinet’s Triofox platform (CVSS score: 9.1) that allows attackers to bypass authentication and access configuration pages.
  • Impact: Enables arbitrary payload upload and execution, granting attackers administrative control.
  • Patch Status: Gladinet released a fix in version 16.7.10368.56560, but exploitation began as early as August 24, 2025, nearly a month prior.
  • Context: This is the third active exploitation of Triofox flaws in 2025, following CVE-2025-30406 and CVE-2025-11371.

Exploitation Methodology

  • Threat Actor: UNC6485, a cluster identified by Mandiant, weaponized the flaw to:
    • Bypass Authentication: Access Triofox configuration pages without valid credentials.
    • Create Admin Account: Used the setup process to generate a “Cluster Admin” account, granting full system privileges.
    • Leverage Antivirus Feature: Exploited the built-in antivirus functionality to execute malicious scripts.
      • Mechanism: Attackers configured the antivirus engine to point to a malicious batch script (centre_report.bat), which ran under the SYSTEM account due to inherited privileges.
      • Payload: The script downloaded Zoho Unified Endpoint Management System (UEMS) from an IP (84.200.80[.]252) to deploy remote access tools like Zoho Assist and AnyDesk.

Attack Chain and Impact

  • Remote Access: Zoho Assist was used for reconnaissance, followed by:
    • Password Changes: Modified existing account passwords.
    • Privilege Escalation: Added compromised accounts to local administrators and Domain Admins groups.
  • Evasion Tactics:
    • Used Plink and PuTTY to establish an encrypted SSH tunnel to a C2 server over port 433.
    • Enabled inbound RDP traffic for further access.
  • Objective: The ultimate goal of the campaign remains unclear, but the attack chain suggests persistent access and data exfiltration capabilities.

Mitigation and Recommendations

  • Immediate Actions:
    • Update Triofox: Apply the latest patch (version 16.7.10368.56560) to address the vulnerability.
    • Audit Admin Accounts: Verify the existence of unauthorized admin accounts (e.g., “Cluster Admin”).
    • Restrict Antivirus Configuration: Ensure the antivirus engine is not configured to execute arbitrary scripts or binaries.
  • Best Practices:
    • Regularly monitor for unusual file uploads or unexpected admin account creation.
    • Implement least-privilege policies for system accounts.
    • Use network segmentation to limit lateral movement post-exploitation.

Reference

https://thehackernews.com/2025/11/hackers-exploiting-triofox-flaw-to.html

Continue reading

Next article

Konni Hackers Exploit Google Find Hub for Remote Data-Wiping and Multi-Group Cyber Threats

Related Content

Nov 4, 2025

Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks

A critical vulnerability in React Native CLI allowed unauthenticated attackers to execute arbitrary OS commands, patched by Meta with a 9.8 CVSS score.

Read article
Nov 7, 2025

Samsung Zero-Day Flaw Exploited to Deploy LANDFALL Android Spyware in Middle East

A critical Samsung Galaxy vulnerability (CVE-2025-21042) was exploited as a zero-day to deploy the LANDFALL spyware via WhatsApp images, targeting users in the Middle East before a patch in April 2025.

Read article
Jan 20, 2026

Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading

A new LinkedIn phishing campaign delivers a remote access trojan (RAT) via DLL sideloading, exploiting trusted software and bypassing traditional security measures.

Read article