CVE-2025-12480

CriticalCISA KEVActive ExploitationPublic PoC

Published: 10 November 2025

Published

10 November 2025

Modified

14 November 2025

KEV Added

12 November 2025

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.7832 99.0th percentile

Risk Priority 85 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12480 is a critical-severity Improper Access Control (CWE-284) vulnerability in Gladinet Triofox. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly preventing unauthorized remote access to initial setup pages after completion.

CM-6 Configuration Settings good match

prevent

Establishes secure configuration settings to disable or restrict access to setup interfaces post-initialization, mitigating the improper access control flaw.

AC-6 Least Privilege partial match

prevent

Applies least privilege to limit access to sensitive setup functions only to necessary initial configuration activities.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1136.001 Local Account Persistence

Adversaries may create a local account to maintain access to victim systems.

attack.mitre.org →

Why these techniques?

CVE-2025-12480 enables unauthenticated remote access to Triofox setup pages via HTTP Host header spoofing (T1190: Exploit Public-Facing Application), facilitating creation of local native admin accounts (T1136.001: Create Local Account) for subsequent payload upload and execution.

NVD Description

Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete.

Deeper analysisAI

CVE-2025-12480 is an Improper Access Control vulnerability (CWE-284) affecting Triofox versions prior to 16.7.10368.56560. The flaw enables unauthorized access to initial setup pages even after the setup process has been completed. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

A remote, unauthenticated attacker can exploit this vulnerability over the network to access the setup pages, achieving high impacts on confidentiality and integrity with no availability disruption. Exploitation allows manipulation of sensitive setup functions post-initialization, potentially enabling unauthorized configuration changes or administrative control.

Advisories from Mandiant (MNDT-2025-0008), Google Cloud Threat Intelligence, Triofox release history, and the vendor site outline the issue and remediation. Triofox addresses the vulnerability in version 16.7.10368.56560 and later. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-12480 to its Known Exploited Vulnerabilities Catalog, signaling active real-world exploitation and urging federal agencies to apply mitigations immediately.