- CVE-2025-12480 in Triofox allowed zero-day exploitation via improper access control
- UNC6485 attackers deployed Zoho Assist, AnyDesk and SSH tunneling for remote access
- Patch released July 26; newer version of Triofox available October 14 for mitigation
Popular file sharing and remote collaboration platform Triofox had a critical vulnerability that was exploited as a zero-day used to deploy a remote access tool providing attackers with lateral movement capabilities.
Security researchers at Google’s Mandiant and its Threat Intelligence Group (GTIG) reported that Triofox has a built-in antivirus feature, which had an “inappropriate access control” flaw that allowed access to initial setup pages even after setup was complete.
The flaw, identified as CVE-2025-12480 and with a severity score of 9.1/10 (critical), was most likely introduced in early April 2025 and was patched in late July. However, the attacks were spotted almost a month later, suggesting that the victim organization did not apply the patch in time.
Who is UNC6485?
Researchers identified the attackers as UNC6485, an attack cluster that has not been reported in the past.
However, given that Google’s Threat Intelligence team is known for tracking down perpetrators of state-sponsored threats, it can be assumed that this group might have ties to nation-states and that the aim of the campaign was either data theft or cyber espionage and intelligence gathering.
In the attack on an anonymous victim, the threat actors used malicious code to deploy Zoho UEMS, through which they installed Zoho Assist and AnyDesk, two legitimate tools that granted them both remote access and lateral movement capabilities.
They also deployed Plink and PUTTY tools to create an SSH tunnel and forward remote traffic.
The vulnerability was fixed on July 26, with Triofox version 16.7.10368.56560, and users are advised to apply the patch as soon as possible. Additionally, Gladinet (the company behind Triofox) released a newer version on October 14, 16.10.10408.56683, which would still be better to install, if possible.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
