Which SIEM platforms have a CVE-2025-12480 detection rule?

df00tech provides CVE-2025-12480 (Gladinet Triofox Improper Access Control Exploitation Detected) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2025-12480 detection?

The CVE-2025-12480 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2025-12480?

Common false positives for CVE-2025-12480 include: Legitimate batch file synchronization operations from Triofox desktop clients performing large sync jobs; Automated backup tools or scheduled tasks accessing Triofox APIs at high frequency; Security scanners or vulnerability assessment tools running against the Triofox server.

CVE-2025-12480 Elastic Security · Elastic

Detect Gladinet Triofox Improper Access Control Exploitation Detected in Elastic Security

Q: What data sources are required to detect Gladinet Triofox Improper Access Control Exploitation Detected (CVE-2025-12480)?

Detecting Gladinet Triofox Improper Access Control Exploitation Detected requires the following data sources: DeviceNetworkEvents, W3CIISLog, SecurityEvent, AzureActivity.

Detects exploitation attempts targeting CVE-2025-12480, an improper access control vulnerability (CWE-284) in Gladinet Triofox. This vulnerability allows attackers to bypass access controls, potentially gaining unauthorized access to file storage and collaboration resources. Listed as a CISA Known Exploited Vulnerability, active exploitation has been observed in the wild.

MITRE ATT&CK

Tactic: Initial Access Persistence Credential Access

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by source.ip with maxspan=5m
  [network where network.protocol == "http" and
   (url.path : ("/api/*", "/admin/*", "/user/login*", "/token*", "/share/*") or
    process.name : ("triofox*", "CentreStack*", "gladinet*")) and
   http.request.method in ("GET", "POST", "PUT", "DELETE", "PATCH")] with runs=10
  [network where network.protocol == "http" and
   http.response.status_code in (200, 201, 403) and
   url.path : ("/admin/*", "/user/login*", "/token*")]

critical severity medium confidence

EQL sequence detection for CVE-2025-12480 identifying rapid repeated HTTP requests to Triofox endpoints followed by successful or forbidden responses, indicating access control bypass probing.

Data Sources

Elastic Network LogsElastic EndpointFilebeat IIS Module

Required Tables

logs-*filebeat-*winlogbeat-*

False Positives & Tuning

Bulk file sync clients hitting API endpoints in rapid succession from trusted source IPs
Triofox internal health monitoring probing authentication endpoints
Authorized API integrations with high request rates from known service accounts
Browser preloading or caching behaviors generating multiple rapid requests

Other platforms for CVE-2025-12480

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Triofox Unauthenticated Admin Endpoint Probe
Expected signal: IIS access log entries showing GET requests to /api/user/list, /admin/dashboard, /admin/users, /token, /api/settings from the test machine IP without authentication headers. Windows Security Event ID 4625 may appear if the application logs failed authentication attempts.
Test 2Triofox Token Endpoint Brute Force Simulation
Expected signal: IIS log entries showing 30 POST requests to /token from the test IP within seconds, with HTTP 401 or 200 response codes. Application-level Triofox logs may record authentication attempts.
Test 3Triofox File Access Path Traversal Probe
Expected signal: Windows Security event logs and IIS access logs recording HTTP GET requests to file-related Triofox endpoints without valid session tokens. Network telemetry in CrowdStrike or EDR showing outbound HTTP connections from the test machine to the Triofox server.

Last updated: 2026-06-19 Research depth: standard

References (3)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2025-12480 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0001Initial Access TA0003Persistence TA0006Credential Access

Related Techniques

T1190Exploit Public-Facing Application T1078Valid Accounts T1530Data from Cloud Storage

Detect Gladinet Triofox Improper Access Control Exploitation Detected in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2025-12480

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2025-12480

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox