CVE-2025-64180
CRITICAL EPSS 21.0%
Published Nov 7, 20257mo ago · Modified Jun 17, 20261w ago
10.0 CVSS 3.1
Published Nov 7, 2025 7mo ago
Last Modified Jun 17, 2026 1w ago
Description
Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access to internal network resources. The flaw lies in the fundamental design of the DNS validation mechanism. A Time-of-Check Time-of-Use (TOCTOU) condition that allows attackers to bypass network isolation and access internal services, cloud metadata endpoints, and protected network segments. The Desktop edition requires no authentication; the Server edition requires only standard authentication. This issue is fixed in version 25.11.1.3086.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
21.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 2
CWE-367
CWE-918 Server-Side Request Forgery (SSRF) Validation
References 1
- github.com https://github.com/Manager-io/Manager/security/advisories/GHSA-j2xj-xhph-p74j
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.