All news with #triofox tag

Attackers Exploit Critical Triofox Flaw for Code Execution

⚠️ Mandiant and Google GTIG observed UNC6485 exploiting a critical improper access control flaw, CVE-2025-12480, in Gladinet Triofox versions prior to 16.7.10368.56560. Attackers spoofed a localhost Host header to reach setup pages, create a native 'Cluster Admin' account and upload payloads. They abused the product's anti‑virus configuration to execute arbitrary scripts as SYSTEM, then deployed remote access tools, escalated privileges and exfiltrated credentials. Users are urged to update, audit admin accounts and hunt for indicators of compromise.

Triofox CVE-2025-12480: Unauthenticated Access Leads to RCE

⚠️ Mandiant Threat Defense observed active exploitation of an unauthenticated access control vulnerability in Gladinet's Triofox (CVE-2025-12480) that allowed attackers to bypass authentication and reach administrative setup pages. By manipulating the HTTP Host header to impersonate localhost, attackers accessed protected admin workflows, created a native admin account, and configured the built-in anti‑virus engine to execute a malicious script as SYSTEM. The chain led to a PowerShell downloader, installation of a legitimate Zoho UEMS agent, and deployment of remote access tools; the vulnerability affected Triofox 16.4.10317.56372 and was mitigated in 16.7.10368.56560. Operators should upgrade immediately, audit admin accounts, and restrict anti‑virus engine paths.

Active Exploitation: Gladinet CentreStack LFI → RCE Bug

⚠️ Huntress reports active exploitation of an unauthenticated LFI zero-day, CVE-2025-11371, affecting Gladinet CentreStack and TrioFox up to version 16.7.10368.56560. The flaw permits disclosure of server files, including Web.config, enabling attackers to extract a hard-coded machine key that can enable a prior ViewState deserialization RCE (CVE-2025-30406). As an interim mitigation, Huntress recommends disabling the UploadDownloadProxy 'temp' handler in Web.config until a vendor patch is available.