A serious vulnerability, identified as CVE-2025-12480, has been discovered in Gladinet’s Triofox file-sharing platform. This flaw allowed attackers to bypass authentication and access sensitive application configuration pages. By exploiting this, attackers could upload and execute arbitrary payloads. The vulnerability was first exploited by a threat group known as UNC6485, which combined it with a built-in anti-virus feature to execute code. Gladinet has since released a fix in version 16.7.10368.56560. During an investigation by Mandiant, an anomalous HTTP log entry was detected, showing a suspicious GET request with the "localhost" host header. This type of request, coming from an external source, indicated a manipulation of the Host header, a common tactic in HTTP host header attacks. By changing the Host header to "localhost," attackers gained access to the `AdminDatabase.aspx` page, which is otherwise protected by access controls. This flaw allowed them to create a new admin account and conduct further malicious activities. The investigation revealed that the underlying access control mechanism for the `AdminDatabase.aspx` page relied heavily on the Host header value. If it matched "localhost," the system would skip all other security checks, making it vulnerable to exploitation. Mandiant confirmed the severity of the flaw through testing, where they demonstrated that attackers could exploit this oversight to gain unauthorized access and escalate their privileges within the Triofox application.