"Mandiant said the threat actor weaponized the unauthenticated access vulnerability to gain access to the configuration pages, and then used them to create a new native admin account, Cluster Admin, by running the setup process. The newly created account was subsequently used to conduct follow-on activities. "To achieve code execution, the attacker logged in using the newly created Admin account. The attacker uploaded malicious files to execute them using the built-in antivirus feature,""
""To set up the antivirus feature, the user is allowed to provide an arbitrary path for the selected anti-virus. The file configured as the antivirus scanner location inherits the Triofox parent process account privileges, running under the context of the SYSTEM account. The attackers, per Mandiant, ran their malicious batch script ("centre_report.bat") by configuring the path of the antivirus engine to point"
Mandiant identified n-day exploitation of CVE-2025-12480 in Gladinet Triofox that permits authentication bypass and access to configuration pages, enabling upload and execution of arbitrary payloads. The threat cluster UNC6485 weaponized the flaw as early as August 24, 2025, nearly a month after Gladinet released patches in version 16.7.10368.56560. CVE-2025-12480 is the third Triofox flaw exploited this year following CVE-2025-30406 and CVE-2025-11371. Gladinet added protection to block initial configuration pages after setup. Attackers created a native admin account, logged in, and abused the antivirus engine path to run a malicious batch as SYSTEM.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]