- CVE-2025-12480 in Triofox allowed zero-day exploit via incorrect access control
- UNC6485 attackers deployed Zoho Assist, AnyDesk, and SSH tunneling for remote access
- Patch released July 26; newer Triofox version available October 14 for remediation
Popular remote file sharing and collaboration platform Triofox carried a critical vulnerability that was exploited as a zero-day used to deploy a remote access tool that allowed attackers lateral movement.
Security researchers from Google’s Mandiant and its Threat Intelligence Group (GTIG) have flagged that Triofox comes with a built-in antivirus feature that has an “improper access control” flaw that allowed access to the initial setup pages even after setup was complete.
The bug, tracked as CVE-2025-12480 and given a severity score of 9.1/10 (critical), was most likely introduced in early April 2025, was fixed in late July. However, the attacks were discovered almost a month later, suggesting that the victim organization did not apply the patch in time.
Who is UNC6485?
The researchers identified the attackers as UNC6485, an attack cluster that has not been reported previously.
But since Google’s Threat Intelligence Team is known for tracking state-sponsored threat actors, it’s safe to assume that this group could have ties to nation-states and that the goal of the campaign was either data theft or cyber espionage and intelligence gathering.
In the attack, against an unnamed victim, the threat actors used malicious code to deploy Zoho UEMS, through which they installed Zoho Assist and AnyDesk – two legitimate tools that gave them both remote access and lateral movement capabilities.
They also implemented the Plink and PUTTY tools to create an SSH tunnel and forward remote traffic.
The vulnerability was fixed on July 26 with Triofox version 16.7.10368.56560, and users are advised to apply the patch as soon as possible. What’s more, Gladinet (the company behind Triofox) released a newer version, 16.10.10408.56683, on October 14th, which would be even better to install if possible.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
