- CVE-2025-12480 in Triofox allowed zero-day exploitation via improper access control
- UNC6485 attackers implemented Zoho Assist, AnyDesk, and SSH tunnels for remote access
- Patch released July 26; The newest version of Triofox will be available on October 14 for mitigation.
Popular remote file sharing and collaboration platform Triofox had a critical vulnerability that was exploited as a zero-day used to implement a remote access tool that gave attackers lateral movement capabilities.
Security researchers at Google’s Mandiant and its Threat Intelligence Group (GTIG) noted that Triofox comes with a built-in antivirus feature, which had an “inadequate access control” flaw that allowed access to the initial setup pages even after setup was complete.
The flaw, tracked as CVE-2025-12480 and with a severity score of 9.1/10 (critical), was likely introduced in early April 2025 and was fixed in late July. However, the attacks were detected almost a month later, suggesting that the victim organization did not apply the solution in time.
Who is UNC6485?
Researchers identified the attackers as UNC6485, an attack group that had not been reported in the past.
However, since Google’s Threat Intelligence Team is known for tracking state-sponsored threat actors, it is safe to assume that this group could have ties to nation-states and that the goal of the campaign was data theft or cyberespionage and intelligence gathering.
In the attack, against an anonymous victim, the threat actors used malicious code to deploy Zoho UEMS, through which they installed Zoho Assist and AnyDesk, two legitimate tools that granted them remote access and lateral movement capabilities.
They also implemented the Plink and PUTTY tools to create an SSH tunnel and forward remote traffic.
The vulnerability was fixed on July 26 with Triofox version 16.7.10368.56560 and users are advised to apply the patch as soon as possible. What’s more, Gladinet (the company behind Triofox) released a newer version, 16.10.10408.56683, on October 14, which would be even better to install, if possible.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
