CVE-2025-12480 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-11-10

Added to CISA KEV: 2025-11-12 2 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately upgrade to TrioFox version 16.7.10368.56560 or later
Review all TrioFox access logs for suspicious administrative activities or unauthorized configuration changes
Implement network monitoring to detect HTTP Host header attacks against TrioFox instances
Scan for Cobalt Strike beacons or other malware that may have been deployed through this vulnerability
Consider temporarily blocking access to setup/admin pages at the network level until patching is complete

🔍 Web Intelligence

Key Sources:

CVE-2025-12480 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-12480 is a critical authentication bypass vulnerability (CVSS score: 9.1) affecting Gladinet's Triofox file-sharing and remote access platform versions prior to 16.7.10368.56560. The vulnerability was discovered in August 2025 and allows unauthenticated attackers to bypass authentication and access the application's configuration pages. The flaw was actively exploited by a threat ...
Triofox CVE-2025-12480 Exploited in Attacks Despite Available Patch
Google’s Mandiant confirmed active exploitation of CVE-2025-12480, a critical authentication bypass flaw in Gladinet’s Triofox platform. The vulnerability allows unauthorized admin access and remote code execution, with attackers deploying backdoors and Cobalt Strike payloads against unpatched enterprise environments.
CISA Adds Gladinet and CWP Flaws to KEV Catalog Amid Active ...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting Gladinet and Control Web Panel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerabilities in question are listed below - CVE-2025-11371 (CVSS score: 7.5) - A vulnerability in files or directories accessible to ...
Attackers exploited another Gladinet Triofox zero-day (CVE-2025-12480)
CVE-2025-12480 exploitation and attack details. Gladinet’s Triofox solution is used by medium and large businesses to securely share files and allow users to access them without a VPN.The attackers exploited CVE-2025-12480 on a server running Triofox v16.4.10317.56372, which was released in April 2025 to fix CVE-2025-30406, a deserialization vulnerability affecting Triofox and Gladinet’s MSP-friendly file sharing platform CentreStack. According to its NVD entry, CVE-2025-30406 was exploited as a zero-day beginning in March 2025.
Unauthenticated Remote Access via Triofox Vulnerability ...
24, 2025, a threat cluster tracked by Google Threat Intelligence Group (GTIG) as UNC6485 exploited the unauthenticated access vulnerability and ...

🔴 CVE-2025-12480

📋 Vulnerability Details

🎯 Recommendations:

🔍 Web Intelligence

Key Sources: