MNDT-2025-0008 Description Trifox versions prior to 16.7.10368.56560 are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete. Impact High: This vulnerability enables an adversary to circumvent authentication/login controls, allowing them to create a new administrator account and gain access to the WebUI using this account. An attacker can then abuse the built-in AV feature to achieve code execution on the localhost. Exploitability High: Any unauthenticated user can exploit the vulnerability to gain access to the WebUI to achieve code execution via AV abuse on the host. CVE ID CVE-2025-12480 Common Weakness Enumeration CWE-284: Improper Access Control Details Adversaries may target vulnerable Trifox instances by conducting an HTTP Host header attack. By setting the Host value to localhost, an attacker can bypass other access controls on the page and reach the setup page. On gaining access to the WebUI, an attacker can publish new shares or upload files, including malicious batch scripts to existing shares. To achieve code execution, an attacker can abuse the built-in AV feature. The AV command line scanner can be set towards any uploaded malicious payload. To trigger the payload, an arbitrary file can then be uploaded to any share. Impacted Configurations Versions prior to 16.7.10368.56560 CVSS CVSS 9.1 (Critical) Formula: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Resolution Install Trifox version 16.7.10368.56560 or higher to remediate this vulnerability. Discovery Credits Stallone D'Souza, Mandiant Disclosure Timeline October 4, 2025 - Contact initiated with Gladinet about suspected vulnerability October 8, 2025 - Confirmed Improper Access Control vulnerability October 24, 2025 - Gladinet reviewed and acknowledged Mandiant's findings