Gladinet Triofox Improper Access Control Exploitation Detected
Detects exploitation attempts targeting CVE-2025-12480, an improper access control vulnerability (CWE-284) in Gladinet Triofox. This vulnerability allows attackers to bypass access controls, potentially gaining unauthorized access to file storage and collaboration resources. Listed as a CISA Known Exploited Vulnerability, active exploitation has been observed in the wild.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Gladinet
- Product
- Triofox
Weakness (CWE)
Timeline
- Disclosed
- November 12, 2025
References & Proof of Concept
CVSS
What is CVE-2025-12480 Gladinet Triofox Improper Access Control Exploitation Detected?
Gladinet Triofox Improper Access Control Exploitation Detected (CVE-2025-12480) maps to the Initial Access and Persistence and Credential Access tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Gladinet Triofox Improper Access Control Exploitation Detected, covering the data sources and telemetry it touches: DeviceNetworkEvents, W3CIISLog, SecurityEvent, AzureActivity. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let TriofoxPorts = dynamic([80, 443, 8080, 8443]);
let SuspiciousEndpoints = dynamic(['/api/', '/fileupload', '/download', '/share', '/admin', '/user/login', '/token']);
union isfuzzy=true
(
DeviceNetworkEvents
| where RemotePort in (TriofoxPorts)
| where InitiatingProcessFileName has_any ('triofox', 'CentreStack', 'GladinetServer')
| extend EventSource = 'DeviceNetworkEvents'
),
(
W3CIISLog
| where csUriStem has_any (SuspiciousEndpoints)
| where sc-status in (200, 201, 301, 302, 401, 403, 500)
| where cs-method in ('GET', 'POST', 'PUT', 'DELETE', 'PATCH')
| extend EventSource = 'W3CIISLog'
),
(
SecurityEvent
| where EventID in (4624, 4625, 4648, 4672)
| where ProcessName has_any ('triofox', 'CentreStack')
| extend EventSource = 'SecurityEvent'
)
| summarize
RequestCount = count(),
DistinctURIs = dcount(csUriStem),
StatusCodes = make_set(sc-status),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by bin(TimeGenerated, 5m), ClientIP = coalesce(cIP, RemoteIP, IpAddress), EventSource
| where RequestCount > 20 or DistinctURIs > 5
| extend AlertSeverity = iff(RequestCount > 100, 'High', 'Medium')
| project TimeGenerated, ClientIP, RequestCount, DistinctURIs, StatusCodes, FirstSeen, LastSeen, AlertSeverity, EventSourceDetects anomalous access patterns against Gladinet Triofox endpoints indicative of CVE-2025-12480 improper access control exploitation, including high-frequency requests, access to admin/API paths, and authentication bypass patterns.
Data Sources
Required Tables
False Positives
- Legitimate batch file synchronization operations from Triofox desktop clients performing large sync jobs
- Automated backup tools or scheduled tasks accessing Triofox APIs at high frequency
- Security scanners or vulnerability assessment tools running against the Triofox server
- Load balancer health checks hitting authentication or API endpoints repeatedly
Sigma rule & cross-platform mapping
The detection logic for Gladinet Triofox Improper Access Control Exploitation Detected (CVE-2025-12480) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-12480
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Triofox Unauthenticated Admin Endpoint Probe
Expected signal: IIS access log entries showing GET requests to /api/user/list, /admin/dashboard, /admin/users, /token, /api/settings from the test machine IP without authentication headers. Windows Security Event ID 4625 may appear if the application logs failed authentication attempts.
- Test 2Triofox Token Endpoint Brute Force Simulation
Expected signal: IIS log entries showing 30 POST requests to /token from the test IP within seconds, with HTTP 401 or 200 response codes. Application-level Triofox logs may record authentication attempts.
- Test 3Triofox File Access Path Traversal Probe
Expected signal: Windows Security event logs and IIS access logs recording HTTP GET requests to file-related Triofox endpoints without valid session tokens. Network telemetry in CrowdStrike or EDR showing outbound HTTP connections from the test machine to the Triofox server.
Unlock Pro Content
Get the full detection package for CVE-2025-12480 including response playbook, investigation guide, and atomic red team tests.