Apple iOS & iPadOS Patch 0-Days Vulnerabilities, Exploited in Targeted Attacks
Apple iOS & iPadOS Patch Zero-Days Vulnerabilities, Exploited in Targeted Attacks
Continue Readingarbitrary code
Gladinet Triofox Patched Critical Unauthenticated Remote Access Vulnerability
Summary : A critical unauthenticated access vulnerability in Triofox is being actively exploited in the wild by threat actor UNC6485. Attackers exploit a Host header spoofing vulnerability to bypass authentication, create native admin accounts and chain abuse of the built-in antivirus feature to execute arbitrary code under SYSTEM privileges.
| OEM | Gladinet |
| Severity | Critical |
| CVSS Score | 9.1 |
| CVEs | CVE-2025-12480 |
| POC Available | YES |
| Actively Exploited | YES |
| Exploited in Wild | YES |
| Advisory Version | 1.0 |
Overview
Triofox is an enterprise file-sharing and remote access platform by Gladinet that enables secure file sync, sharing, and collaboration across on-premises and cloud environments. Immediate upgrade is mandatory to prevent full system compromise, ransomware and persistent remote access.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Unauthenticated Access via Host Header Spoofing & Antivirus RCE Chain | CVE-2025-12480 | Triofox | Critical | v16.7.10368.56560 or later |
Technical Summary
The vulnerability in the CanRunCriticalPage() function within GladPageUILib.dll, which allows access to setup pages, if the Host header is “localhost” – without validating the request origin. Attackers spoof this header externally to initiate the setup process, create a Cluster Admin account, and gain authenticated access.
Once logged in, attackers exploit the antivirus configuration feature, which allows arbitrary executable paths. By uploading a malicious script to a shared folder and setting it as the antivirus scanner, the file executes with SYSTEM-level privileges inherited from the Triofox service.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025- 12480 | Triofox < 16.7.10368.56560 | Host header attack bypasses authentication to AdminDatabase.aspx that enables admin account creation. Chained with antivirus path abuse to run uploaded payloads as SYSTEM | Authentication Bypass, Admin Account Creation, Remote Code Execution, Full System Compromise, Persistent Access, Data Exfiltration, Lateral Movement |
Indicators of Compromise (IOCs)
Host-Based Artifacts
| Artifact | Description | SHA-256 Hash |
| C:\Windows\appcompat\SAgentInst aller_16.7.10368.56560.exe | Installer containing Zoho UEMS Agent | 43c455274d41e58132be7f66139566a941190ceba46082eb 2ad7a6a261bfd63f |
| C:\Windows\temp\sihosts.exe | Plink | 50479953865b30775056441b10fdcb984126ba4f98af4f647 56902a807b453e7 |
| C:\Windows\temp\silcon.exe | PuTTy | 16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc7 7b25a90837f28ad |
| C:\Windows\temp\file.exe | AnyDesk | ac7f226bdf1c6750afa6a03da2b483eee2ef02cd9c2d6af71e a7c6a9a4eace2f |
| C:\triofox\centre_report.bat | Attacker batch script filename | N/A |
Network-Based Artifacts
| IP Address | ASN | Description |
| 85.239.63[.]37 | AS62240 – Clouvider Limited | IP address of the attacker used to initially exploit CVE-2025-12480 to create the admin account and gain access to the Triofox instance |
| 65.109.204[.]197 | AS24950 – Hetzner Online GmbH | After a dormant period, the threat actor used this IP address to login back into the Triofox instance and carry out subsequent activities |
| 84.200.80[.]252 | AS214036 – Ultahost, Inc. | IP address hosting the installer for the Zoho UEMSAgent remote access tool |
| 216.107.136[.]46 | AS396356 – LATITUDE-SH | Plink C2 |
Source: cloud.google.com
Recommendations:
Upgrade Triofox to version 16.7.10368.56560 or latest from the official Gladinet portal.
Conclusion:
This vulnerability represents a severe supply-chain risk in enterprise file-sharing platforms, enabling zero-authentication RCE through misconfigured access controls and feature abuse. With active in-the-wild exploitation by UNC6485 and rapid post-patch attacks, delayed patching significantly increases breach likelihood.
Immediate upgrade, log monitoring, and network hardening are essential to prevent ransomware deployment, data theft, and network pivoting. This incident reinforces the need for secure-by-design input validation and principle of least privilege in remote access tools.
References:
Ivanti Endpoint Manager Vulnerabilities Expose Systems to RCE, SQL & Privilege Escalation Risks
Summary : Security Advisory: Ivanti has publicly disclosed 13 vulnerabilities affecting its Endpoint Manager (EPM) 2024 and earlier releases. It includes 2 high-severity issues, 1 enabling remote code execution (RCE) and the other supporting privilege escalation alongside 11 medium-severity SQL injection flaws. Successful exploitation could lead to privilege escalation or remote code execution.
| OEM | Ivanti |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-11622, CVE-2025-9713 & CVEs for SQL |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
These vulnerabilities are considered critical for enterprise environments, as they could permit attackers to gain unauthorized access, execute arbitrary code, or extract sensitive database information from vulnerable endpoints.
Administrators are urged to update to the latest version to mitigate the attack and prevent potential exploitation.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Insecure Deserialization | CVE-2025-11622 | Ivanti Endpoint Manager 2024 SU3 SR1 and prior | High | 2024 SU4 |
| Path Traversal – Remote Code Execution | CVE-2025-9713 | Ivanti Endpoint Manager 2024 SU3 SR1 and prior | High |
Technical Summary
2 severe vulnerabilities in Ivanti Endpoint Manager significantly increase the risk to affected systems. One of the issues involves insecure deserialization, which may allow a local authenticated attacker to elevate their privileges and gain unauthorized access to sensitive functions or data.
Another notable vulnerability is a path traversal flaw that can lead to remote code execution when triggered by a remote unauthenticated attacker, provided certain user interaction occurs. In addition to these, multiple instances of SQL injection have been identified across various components of the application. These flaws could be exploited by remote authenticated users to retrieve unauthorized information from the backend database, potentially exposing sensitive data.
These vulnerabilities underscores the importance of implementing secure coding practices, validating user input, and applying timely security patches to minimize risk and protect system assets.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-11622 | Ivanti Endpoint Manager | This flaw allows a local authenticated attacker to escalate privileges on the EPM Core server by exploiting deserialization routines. | Privilege Escalation / Remote Code Execution |
| CVE-2025-9713 | Ivanti Endpoint Manager | This enables remote unauthenticated attackers to achieve remote code execution, with user interaction required to trigger malicious file import or configuration actions. | Remote Code Execution / System Compromise |
In addition, releasing eleven CVEs for SQL injection vulnerabilities that permit remote authenticated attackers to access and read arbitrary data from the database.
| Vulnerability Name | CVE ID | Affected Component | Severity |
| SQL Injection Flaws | CVE-2025-1162 CVE-2025-62383 CVE-2025-62384 CVE-2025-62385 CVE-2025-62386 CVE-2025-62387 CVE-2025-62388 CVE-2025-62389 CVE-2025-62390 CVE-2025-62391 CVE-2025-62392 | Ivanti Endpoint Manager | Medium |
Recommendations
Update Ivanti Endpoint Manager to the following versions when available:
- 2024 SU4 for high-severity vulnerabilities (targeted release November 12, 2025)
- 2024 SU5 for SQL injection vulnerabilities (scheduled Q1 2026)
Patches are currently under development, here are some mitigations below to protect the environment
- Use Ivanti EPM 2024 SU3 SR1 to reduce the risk associated with the insecure deserialization vulnerability.
- Limit access to the EPM Core server to local administrators only.
- Use a firewall with a strict whitelisting configuration to block remote access.
- Avoid importing untrusted configuration files into the EPM Core server.
- Remove the reporting database user from the EPM configuration to mitigate the SQL injection vulnerabilities. But this action will disable reporting functionality, as the reporting database user is required to run reports.
Conclusion:
These vulnerabilities pose a significant threat to organizations relying on Ivanti Endpoint Manager for enterprise device management, potentially enabling privilege escalation, remote code execution, and unauthorized data access. Enterprises are strongly urged to implement Ivanti’s recommended mitigations without delay to reduce immediate risk. Additionally, organizations should prepare for the timely deployment of the upcoming security updates as they become available. Proactive action is essential to maintaining the security and integrity of endpoint management infrastructure.
References:
Google Chrome Patches Actively Exploited Zero-Day Vulnerability
Summary : Security Advisory
Google has released a critical out-of-band security update for its Chrome browser to address CVE-2025-5419.
Rated as high-severity zero-day vulnerability in the V8 JavaScript engine that is currently being actively exploited in the wild.
| OEM | |
| Severity | HIGH |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-5419 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
This vulnerability allows attackers to execute arbitrary code on users’ systems through specially crafted web content, making it a serious threat requiring immediate attention.
In addition to the zero-day fix, this update also includes a patch for CVE-2025-5068, a medium severity use-after-free vulnerability in Blink, chrome’s rendering engine.
While less critical, such flaws can still result in memory corruption and possible code execution.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Out-of-bounds memory access vulnerability | CVE-2025-5419 | Google Chrome | High | 137.0.7151.68/.69 (Win/Mac), 137.0.7151.68 (Linux) |
Technical Summary
This high-severity vulnerability is caused by an out-of-bounds read and write weakness in Chrome’s V8 JavaScript engine, reported one week ago by Clement Lecigne and Benoît Sevens of Google’s Threat Analysis Group.
This flaw affects the V8 JavaScript engine and allows attackers to execute arbitrary code via crafted web content.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-5419 | Chrome (all platforms) | Out-of-bounds read and write in the V8 JavaScript engine; triggered via malicious HTML | Arbitrary code execution, memory compromise, remote attack |
Remediation:
Apply Patches Promptly: Upgrade to Chrome version 137.0.7151.68/.69 or later for Windows and macOS, and 137.0.7151.68 or later for Linux to mitigate the vulnerabilities.
General Recommendation:
- Prioritize Zero-Day Fixes: Treat this patch as high priority due to confirmed in-the-wild exploitation. Immediate action is critical to prevent potential system compromise.
- Update Chromium-Based Browsers: Ensure Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are updated as soon as vendor-specific patches are released.
- Automate Browser Updates: Enable automatic updates in Chrome and Chromium environments to maintain timely patching against emerging threats.
- Enterprise Patch Rollout: Administrators should fast-track deployment of the fixed version across all endpoints, particularly in high-risk or externally exposed environments.
- Monitor for Threat Activity: Continuously monitor browser and network activity for signs of exploitation attempts targeting vulnerable versions.
Conclusion:
CVE-2025-5419 poses a significant security risk with confirmed active exploitation in the wild.
Google’s swift action highlights the urgency of this threat. All users are strongly advised to update their Chrome browsers immediately. Delaying this update could expose systems to compromise through malicious web content exploiting this zero-day vulnerability.
While Chrome will automatically update when new security patches are available, users can speed up the process by going to the Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the ‘Relaunch’ button to install it immediately.
References: