Detect Gladinet Triofox Improper Access Control Exploitation Detected in Splunk
Detects exploitation attempts targeting CVE-2025-12480, an improper access control vulnerability (CWE-284) in Gladinet Triofox. This vulnerability allows attackers to bypass access controls, potentially gaining unauthorized access to file storage and collaboration resources. Listed as a CISA Known Exploited Vulnerability, active exploitation has been observed in the wild.
MITRE ATT&CK
SPL Detection Query
index=web OR index=iis OR index=windows sourcetype IN ("iis", "ms:iis:auto", "WinEventLog:Security", "XmlWinEventLog:Security")
| eval is_triofox_path=if(match(uri_path, "(?i)(/api/|/fileupload|/download|/share|/admin|/user/login|/token)"), 1, 0)
| eval is_triofox_proc=if(match(process, "(?i)(triofox|centrestack|gladinet)"), 1, 0)
| where is_triofox_path=1 OR is_triofox_proc=1
| eval auth_bypass=if(status IN ("200","201") AND match(uri_path, "(?i)(/admin|/user/login|/token)"), 1, 0)
| eval anomalous_method=if(method IN ("DELETE","PUT","PATCH") AND match(uri_path, "(?i)/admin"), 1, 0)
| bucket _time span=5m
| stats
count AS request_count,
dc(uri_path) AS distinct_uris,
values(status) AS status_codes,
sum(auth_bypass) AS auth_bypass_hits,
sum(anomalous_method) AS anomalous_method_hits,
earliest(_time) AS first_seen,
latest(_time) AS last_seen
BY _time, src_ip
| where request_count > 20 OR auth_bypass_hits > 3 OR anomalous_method_hits > 1
| eval severity=case(auth_bypass_hits > 5, "critical", request_count > 100, "high", true(), "medium")
| eval cve="CVE-2025-12480"
| table _time, src_ip, request_count, distinct_uris, status_codes, auth_bypass_hits, anomalous_method_hits, severity, cve, first_seen, last_seen
| sort -severity, -request_countSplunk query detecting CVE-2025-12480 exploitation against Gladinet Triofox by identifying high-frequency requests, authentication bypass attempts, and anomalous HTTP methods targeting administrative and API endpoints.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate Triofox desktop client bulk synchronization creating high request volumes from known IPs
- Authorized penetration testing or vulnerability scanning against the Triofox instance
- Monitoring agents or health-check systems polling authentication endpoints
- Administrative scripts performing batch user management operations via the API
Other platforms for CVE-2025-12480
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Triofox Unauthenticated Admin Endpoint Probe
Expected signal: IIS access log entries showing GET requests to /api/user/list, /admin/dashboard, /admin/users, /token, /api/settings from the test machine IP without authentication headers. Windows Security Event ID 4625 may appear if the application logs failed authentication attempts.
- Test 2Triofox Token Endpoint Brute Force Simulation
Expected signal: IIS log entries showing 30 POST requests to /token from the test IP within seconds, with HTTP 401 or 200 response codes. Application-level Triofox logs may record authentication attempts.
- Test 3Triofox File Access Path Traversal Probe
Expected signal: Windows Security event logs and IIS access logs recording HTTP GET requests to file-related Triofox endpoints without valid session tokens. Network telemetry in CrowdStrike or EDR showing outbound HTTP connections from the test machine to the Triofox server.
Unlock Pro Content
Get the full detection package for CVE-2025-12480 including response playbook, investigation guide, and atomic red team tests.