šŸ”“ CVE-2025-12480

CVE-2025-12480 is a critical authentication bypass vulnerability in TrioFox file sharing platforms that allows unauthenticated attackers to access administrative setup pages. The vulnerability is being actively exploited in the wild and has been added to CISA's KEV catalog.

ā† Back to Overview
HIGH_RISK
Risk Level
9.1
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 ā€” Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

šŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-11-10

Added to CISA KEV: 2025-11-12 2 DAYS BETWEEN CVE AND KEV

šŸŽÆ Recommendations:

šŸ” Web Intelligence (Kagi Ā· 2025-11-12)

CVE-2025-12480 is a critical authentication bypass vulnerability affecting Gladinet's Triofox platform. Here's what is known about its exploitation:

  • Affected Applications/Services: The vulnerability affects internet-facing applications using the Triofox platform, which is used by medium and large businesses for secure file sharing and remote access without a VPN [4][1].
  • Active Exploitation: There is confirmed active exploitation of CVE-2025-12480 in the wild [2][3].
  • Attack Vectors/Exploitation Methods:
- Attackers exploit the vulnerability by conducting HTTP Host header attacks [4]. - Successful exploitation allows unauthenticated attackers to bypass authentication and gain administrative access to the application's configuration pages [1][8]. - Exploit leads to unauthorized admin access and remote code execution [2]. - Attackers have been observed deploying backdoors and Cobalt Strike payloads [2].
  • Targeted Attacks: A threat cluster tracked by Google Threat Intelligence Group (GTIG) as UNC6485 has been actively exploiting this vulnerability [5].
  • CISA KEV Status: CISA has added CVE-2025-12480 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation [2][3].
  • Technical Details/Internet Exploitability:
- CVE-2025-12480 is an improper access control flaw in Triofox versions prior to 16.7.10368.56560 [9][6]. - It allows access to initial setup pages even after setup is complete, leading to potential misuse of the platform and undermining the system's security [9][7]. - The vulnerability has a CVSS score of 9.1, indicating its critical severity [6][1].

Sources

  1. CVE-2025-12480 Impact, Exploitability, and Mitigation Steps | Wiz

    CVE-2025-12480 is a critical authentication bypass vulnerability (CVSS score: 9.1) affecting Gladinet's Triofox file-sharing and remote access platform versions prior to 16.7.10368.56560. The vulnerability was discovered in August 2025 and allows unauthenticated attackers to bypass authentication anā€¦

  2. Triofox CVE-2025-12480 Exploited in Attacks Despite Available Patch

    Googleā€™s Mandiant confirmed active exploitation of CVE-2025-12480, a critical authentication bypass flaw in Gladinetā€™s Triofox platform. The vulnerability allows unauthorized admin access and remote code execution, with attackers deploying backdoors and Cobalt Strike payloads against unpatched enterā€¦

  3. CISA Adds Gladinet and CWP Flaws to KEV Catalog Amid Active ...

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting Gladinet and Control Web Panel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerabilities in question are listed belā€¦

  4. Attackers exploited another Gladinet Triofox zero-day (CVE-2025-12480)

    CVE-2025-12480 exploitation and attack details. Gladinetā€™s Triofox solution is used by medium and large businesses to securely share files and allow users to access them without a VPN.The attackers exploited CVE-2025-12480 on a server running Triofox v16.4.10317.56372, which was released in April 20ā€¦

  5. Unauthenticated Remote Access via Triofox Vulnerability ...

    24, 2025, a threat cluster tracked by Google Threat Intelligence Group (GTIG) as UNC6485 exploited the unauthenticated access vulnerability and ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

šŸ“„ Download JSON Data | šŸ“” RSS Feed