Mandiant Threat Defence has found another zero-day affecting file-sharing software, with attackers abusing anti-virus features in Gladinet’s Triofox.

The CVE-2025-12480 (CVSS 9.1) and now patched, was being abused by a threat cluster tracked as UNC6485 as early as August 2025, according to the Google Threat Intelligence Group (GTIG).

GTIG Principal Threat Analyst Austin Larsen said attackers had exploited the flaw by “simply spoofing the HTTP Host header to "localhost”” and then creating a new native Cluster Admin account.

See also: CISA calls for “immediate emergency action” over F5 breach

He said: “They then cleverly abuse the legitimate Triofox anti-virus feature to execute malicious payloads, leading to full system compromise.”

Attackers have been seen deploying commercial remote access tools, including Zoho UEMS and Any Desk, and establishing reverse SSH tunnels to maintain access to breached systems.

The vulnerability is patched in Triofox release 16.7.10368.56560. All users are urged to patch immediately and review their system for rogue admin accounts and modifications to the Antivirus Engine.

Gladinet’s bad year

The disclosure comes a week after CISA added an unauthenticated local file inclusion flaw, CVE-2025-11371 , in Triofox and Gladinet cloud file-sharing platform CentreStack to its known exploited vulnerabilities catalogue.

Research shared by Huntress Labs on October 9 said attackers had exploited that vulnerability to execute an irregular base64 payload. It was patched in CentreStack version 16.10.10408.56683 on October 14.

In April, Huntress posted about another CentreStack and Triofox vulnerability, the CVSS 9 rated CVE-2025-30406, after seeing exploitation in the wild by attackers aiming to abuse it for remote code execution.

File-sharing continues to be hit

The attacks are the latest to focus on file-sharing platforms, with Citrix ShareFile, SolarWinds’ Serv-U, and Fortra’s GoAnywhere all hit in the wild in recent years.

Ransomware groups have been the primary perpetrators, exploiting the trusted access granted to such platforms to an often broad list of systems, with the Cl0p group seen exploiting vulnerabilities in Cleo’s MFT software in 2024.

Cl0p was also responsible for exploitation of the critical MOVEit vulnerability in 2023, focussing on threats to leak data it had exfiltrated rather than shutting down the systems of its victims.

Mandiant did not make reference to any ransomware-related exploitation of CVE-2025-12480 in its research.

The link has been copied!