Overview
- The critical vulnerability tracked as CVE-2025-12480 lets unauthenticated requests reach setup pages by spoofing the HTTP Host header as 'localhost,' enabling creation of a native 'Cluster Admin' account.
- Attackers then configured the product’s antivirus scanner path to a malicious script that executed with SYSTEM privileges, allowing remote code execution when any file was uploaded to a published share.
- Mandiant observed the script fetching a Zoho UEMS installer from 84.200.80.252, which was used to deploy Zoho Assist and AnyDesk for remote access and lateral movement.
- Post-compromise actions included enumerating SMB sessions, attempting password changes, modifying admin group memberships, and establishing an SSH reverse tunnel over port 433 to 216.107.136.46 to forward RDP.
- Mandiant attributes the activity to UNC6485 and urges customers to upgrade to a fixed release (at least 16.7.10368.56560, with the latest at 16.10.10408.56683), audit admin accounts, lock down the AV scanner path, and hunt for the published IOCs and anomalous outbound SSH.