CVE-2025-12480

CRITICALCISA KEV

9.1

Description

Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete.

CVE Details

CVSS v3.1 Score9.1

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published11/10/2025

Last Modified11/14/2025

Sourcekev

Honeypot Sightings0

CISA KEV

VendorGladinet

ProductTriofox

Vulnerability NameGladinet Triofox Improper Access Control Vulnerability

KEV Date Added2025-11-12

Remediation Due Date2025-12-03

Ransomware UseUnknown

Affected Products

gladinet:triofox

Weaknesses (CWE)

CWE-284

References

https://access.triofox.com/releases_history/(mandiant-cve@google.com)

https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480(mandiant-cve@google.com)

https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0008.md(mandiant-cve@google.com)

https://www.triofox.com/(mandiant-cve@google.com)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-12480(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.