Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Critical Vulnerability In Gladinet’s Triofox, Allows Authentication Bypass and Code Execution, Patch Immediately!
Image
Veröffentlicht : 12/11/2025
* Last update: 12/11/2025
* Affected software: Gladinet’s Triofox versions prior to 16.7.10368.56560* Type:
→ • Authentication Bypass
* CVE/CVSS
→ • CVE-2025-12480: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Sources
Google Threat Intelligence: https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480
Risks
The vulnerability allows an attacker to bypass authentication mechanisms and create a new administrator account, resulting in gaining access to the WebUI. Subsequently, the attacker can abuse the built-in antivirus feature to achieve code execution on the localhost. Successful exploitation requires no prior authentication or user interaction.
Mandiant Threat Defense reports that the vulnerability has being exploited in the wild as early as the 24th of August 2025. The specific activity is being tracked under the threat cluster UNC6485. On the 12th of November 2025, the vulnerability was added in the Known Exploited Vulnerability Catalogue of CISA.
Description
CVE-2025-12480 is an Improper Access Control vulnerability, allowing an attacker to access the initial setup pages of the product even after the setup is complete, resulting to authentication bypass.
This is possible by conducting an HTTP Host header attack, by setting the Host value to localhost, to bypass page-level access controls and reach the product’s setup page.
If an attacker gains access to the Web UI they can create shares or upload files to existing shares, including malicious batch scripts.
Code execution is possible because the product’s built-in antivirus feature executes a configured scanner on uploaded files. An attacker who controls the scanner command line can point it at a malicious payload. Uploading an arbitrary file to a share will cause the payload to be executed.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.
While patching appliances or software to the newest version or implementing specific mitigations may protect against future exploitation, it does not remediate historic compromise.
References
Google Threat Intelligence Github: https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0008.md
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12480
CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-12480