Hackers Exploited Triofox Antivirus to Secretly Install Remote access Tools
Security researchers have discovered a campaign where hackers abused a feature within Triofox antivirus software to bypass security measures and deploy remote access tools on compromised systems. The vulnerability, a zero-day local file inclusion flaw (CVE-2025-11371) affecting both Gladinet CentreStack and Triofox products, allowed attackers to access system files without authentication, leading to at least three successful network intrusions.
This exploitation highlights a critical risk: even robust security software can be subverted if its own internal mechanisms are compromised. The attackers leveraged Triofox’s antivirus engine to run unauthorized scripts and binaries, effectively turning a security tool into a gateway for malicious activity. Organizations using triofox, notably those relying on it as a primary line of defense, are urged to immediately update to the latest version and audit admin accounts to mitigate the threat.
The vulnerability was initially reported by Huntress last month and afterward addressed in Triofox version 16.7.10368.56560. However, the most recent update, version 16.10.10408.56683, released on October 14, contains a complete fix and is strongly recommended by Triofox for all users.
GTIG’s report details indicators of compromise (IoCs) to assist security teams in identifying and responding to potential attacks. These IoCs are also available on VirusTotal.beyond updating, Triofox advises administrators to verify the antivirus engine isn’t configured to execute unauthorized code, a key element in preventing future exploitation of this type.
