Overview
- The now-fixed CVE-2025-12480 flaw let unauthenticated requests spoof a localhost Host header to reach setup pages such as AdminAccount.aspx, bypassing access checks in the CanRunCriticalPage function.
- Operators used the setup workflow to create a native admin account named “Cluster Admin,” then abused the antivirus engine path to launch a malicious batch script with SYSTEM privileges on file uploads.
- The script fetched a legitimate Zoho UEMS installer from 84.200.80.252 and used it to deploy Zoho Assist and AnyDesk, which were then leveraged for reconnaissance and attempted privilege escalation.
- For persistence and remote access, the intruders dropped plink-like tools (e.g., sihosts.exe, silcon.exe) and stood up an SSH reverse tunnel over port 433 to 216.107.136.46 to forward RDP traffic.
- Mandiant observed exploitation as early as August 24, 2025 and attributes it to UNC6485, recommending customers upgrade to the latest Triofox release, audit admin accounts and AV settings, and monitor for outbound SSH and the published indicators.