CVE-2025-12480

CriticalCISA KEVActive ExploitationPublic PoC

Published: 10 November 2025

Published

10 November 2025

Modified

14 November 2025

KEV Added

12 November 2025

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.7832 99.0th percentile

Risk Priority 85 60% EPSS · 20% KEV · 20% CVSS

Description

Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly preventing unauthorized remote access to initial setup pages after completion.

CM-6 Configuration Settings good match

prevent

Establishes secure configuration settings to disable or restrict access to setup interfaces post-initialization, mitigating the improper access control flaw.

AC-6 Least Privilege partial match

prevent

Applies least privilege to limit access to sensitive setup functions only to necessary initial configuration activities.

Security SummaryAI

CVE-2025-12480 is an Improper Access Control vulnerability (CWE-284) affecting Triofox versions prior to 16.7.10368.56560. The flaw enables unauthorized access to initial setup pages even after the setup process has been completed. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

A remote, unauthenticated attacker can exploit this vulnerability over the network to access the setup pages, achieving high impacts on confidentiality and integrity with no availability disruption. Exploitation allows manipulation of sensitive setup functions post-initialization, potentially enabling unauthorized configuration changes or administrative control.

Advisories from Mandiant (MNDT-2025-0008), Google Cloud Threat Intelligence, Triofox release history, and the vendor site outline the issue and remediation. Triofox addresses the vulnerability in version 16.7.10368.56560 and later. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-12480 to its Known Exploited Vulnerabilities Catalog, signaling active real-world exploitation and urging federal agencies to apply mitigations immediately.

Details

CWE(s): CWE-284
KEV Date Added: 12 November 2025

Affected Products

gladinet

triofox

≤ 16.7.10368.56560

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1136.001 Local Account Persistence

Adversaries may create a local account to maintain access to victim systems.

attack.mitre.org →

Why these techniques?

CVE-2025-12480 enables unauthenticated remote access to Triofox setup pages via HTTP Host header spoofing (T1190: Exploit Public-Facing Application), facilitating creation of local native admin accounts (T1136.001: Create Local Account) for subsequent payload upload and execution.

References

https://access.triofox.com/releases_history/
Release Notes · mandiant-cve@google.com
https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480
Exploit, Third Party Advisory · mandiant-cve@google.com
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0008.md
Third Party Advisory · mandiant-cve@google.com
https://www.triofox.com/
Product · mandiant-cve@google.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-12480
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0