A risk actor has exploited a vital vulnerability in Triofox to acquire distant entry to a weak server after which obtain code execution, Google warns.
Designed to ease distant work and knowledge administration, Gladinet’s Triofox is a safe file sharing and distant entry answer that may be built-in with current IT infrastructure.
Previous to model 16.7.10368.56560, Triofox was affected by a critical-severity improper entry management vulnerability that allowed attackers to entry preliminary setup pages even after the setup course of was accomplished.
The problem, tracked as CVE-2025-12480 (CVSS rating of 9.1), was resolved in late July by stopping entry to the preliminary configuration pages after Triofox had been arrange.
In late August, Google caught a risk actor tracked as UNC6485 exploiting the safety defect towards a weak Triofox server in an HTTP Host header assault, to create a brand new administrative account.
The risk actor modified an HTTP GET request to the AdminDatabase.aspx web page, which is robotically launched after Triofox is put in. From there, the attackers accessed the AdminAccount.aspx web page, which redirects to the InitAccount.aspx web page, the place they created a brand new administrator account.
The assault was potential as a result of ASP.NET would use the HTTP host header, which might be modified by the risk actor, to construct Request.Url, as a result of Triofox didn’t test if the request got here from a localhost connection, and since no safety was current other than the Host header test.
After creating the brand new admin account, the attackers logged in to the server and abused a built-in antivirus function that permits customers to supply an arbitrary path for the antivirus, to execute a malicious file with System privileges.Commercial. Scroll to proceed studying.
When publishing a brand new share in Triofox, the appliance shows the folder path on disk of any shared folder. The attackers uploaded an arbitrary file to a broadcast share, after which configured the trail of the antivirus to level to it.
The file, a malicious batch script, executed a PowerShell command to fetch and run a second-stage payload recognized as a duplicate of the reputable Zoho Unified Endpoint Administration System (UEMS) software program installer. The agent was used to execute the Zoho Help and AnyDesk distant entry instruments.
UNC6485 used Zoho Help to enumerate lively SMB classes and consumer info and was seen trying to vary the passwords for current accounts, and so as to add these to the native and area administrator teams.
Moreover, the risk actor deployed two utilities to arrange an encrypted tunnel through SSH to their command-and-control (C&C) server, Google explains.
Organizations utilizing Triofox are suggested to replace to model 16.7.10368.56560 or newer, to audit administrator accounts, and make sure that the Triofox antivirus engine will not be allowed to execute unauthorized scripts or binaries.
Associated: Runc Vulnerabilities Can Be Exploited to Escape Containers
Associated: CISA Warns of CWP Vulnerability Exploited within the Wild
Associated: Exploited ‘Submit SMTP’ Plugin Flaw Exposes WordPress Websites to Takeover
Associated: CISA Provides Exploited XWiki, VMware Flaws to KEV Catalog
