š November 12, 2025ā|āā± 6 min readā|āš Category: Threat Intelligence
Attackers are chaining a Triofox authentication bypass with a risky product configuration to get full control of Windows servers. The bug is tracked as CVE-2025-12480 and it was seen in the wild by Googleās threat intelligence teams and Mandiant. The short version is this: an internet request can be made to look like it came from the server itself, which unlocks Triofox setup pages. From there, the builtāin antivirus integration becomes an easy way to run attacker code as SYSTEM.
What happened
Analysts spotted a Triofox server on version (16.4.10317.56372) being targeted in late August. The root issue is an access control gap. In vulnerable builds, Triofox treats a request as local admin traffic when the request host evaluates to localhost. If the optional TrustedHostIp setting is not defined in the web config, that localhost check becomes the only guard. An external attacker can spoof this value in HTTP headers so the app believes the request is coming from itself. That opens the admin database setup flow on a live system.
Once inside the setup workflow, the intruder created a new admin user and moved to the next stage. Triofox allows admins to point the platform at an external antivirus scanner binary. Anything launched from that setting inherits the Triofox service account, which often runs as SYSTEM. The attackers uploaded a script and set its path as the antivirus engine. When Triofox tried to invoke the scanner, it executed the attackerās script with the highest local privileges.
From there, the script pulled down a loader with PowerShell. Investigators observed Zoho UEMS used to deploy Zoho Assist and AnyDesk for remote access and lateral movement. They also saw Plink and PuTTY dropped to create SSH tunnels and forward traffic into RDP on port 3389. None of this required advanced exploit shellcode. It was configuration abuse after a logic flaw opened the door.
What is fixed and what is not
Gladinet addressed CVE-2025-12480 in Triofox (16.7.10368.56560) on July 26. That release closes the localhost shortcut around setup pages. Mandiant validated the fix with the vendor. The current release as of October 14 is (16.10.10408.56683), which also includes remediation for a separate local file inclusion issue tracked as CVE-2025-11371 that had seen exploitation. If you are on an older 16.4 build, or you only took the July update, you should plan to move to the latest available version.
Why this matters
This is a classic example of how convenience features can become execution points. A single logic check granted access to a firstārun setup wizard in production. An integration designed to let you plug in an antivirus engine turned into a reliable launcher for arbitrary code. Because the launched process inherits the service identity, the payoff is immediate and powerful. The rest of the attack chain uses common admin tools, so it blends in.
How to reduce risk right now
Patch directly to (16.10.10408.56683) or newer. Do not stop at the July fix if you can avoid it. After patching, set TrustedHostIp explicitly so the app knows which addresses are truly local. Put a reverse proxy or WAF in front of Triofox that enforces strict header validation so Host and Referer spoofing cannot influence routing or application logic.
Audit Triofox configuration with fresh eyes. Check that the antivirus scanner path points to a known, signed engine and cannot be swapped for a script. Review all admin accounts created since late summer and remove anything unknown. Rotate credentials and tokens tied to Triofox roles.
Hunt for signs of abuse. Look for unexpected access to the admin database, requests that evaluated as localhost but came from outside, and changes to the antivirus scanner setting. On the host, review process creation from the Triofox service account. Investigate any recent installs of Zoho Assist or AnyDesk that do not match change control. Search for Plink and Putty also look for new SSH tunnels followed by RDP spikes.
Treat postāinstall setup pages as production assets and block them from external access. Limit what the Triofox service account can do and where it can write. Baseline your configuration and alert on changes to critical fields, especially anything that launches external binaries. Require phishing resistant MFA for Triofox admins and keep a tight allow list of where the admin interface can be reached from. Finally, review other integrations with the same lens. If a feature lets you point at an external executable, make sure only approved, signed paths are allowed and that those tools run with least privilege.
Incidents like this are a reminder that small logic bugs can turn into full server compromise when they intersect with trusted automation. Closing those gaps, watching for the telltale configuration changes, and patching quickly are what keep a foothold from becoming an outage.
Written by: Logan Elliott
Cyberix
https://www.cyberixsafe.com
