CVE-2025-12480 Detection: Hackers Exploit the Now-Patched Unauthenticated Access Control Vulnerability in Gladinet’s Triofox 

Mandiant disclosed CVE-2025-12480, a Triofox zero-day (CVSS 9.1) actively exploited by UNC6485 to bypass authentication, create an admin account, and run arbitrary scripts as SYSTEM via the antivirus path; attackers deployed remote access tools (Zoho Assist, AnyDesk), used SSH tunneling and toolsets like Plink/PuTTY, and leveraged IP 84.200.80.252 for payload delivery — users should upgrade to the patched Triofox version and audit admin accounts and antivirus configurations.