No Place Like Localhost: Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480

Mandiant reports that an unauthenticated access vulnerability (CVE-2025-12480) in Gladinet Triofox (version 16.4.10317.56372) was actively exploited by a GTIG-tracked cluster (UNC6485) to create a native admin account, upload and execute payloads, and tunnel RDP via PLINK; the issue was fixed in a later Triofox release and Mandiant validated the remediation.