CVE-2025-64180

CVSS v3.1

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Manager-io/Manager versions 25.11.1.3085 and below

Description Manager-io/Manager accounting software contains a critical flaw in its DNS validation mechanism. This flaw results in a Time-of-Check Time-of-Use (TOCTOU) condition, allowing attackers to bypass network isolation and gain unauthorized access to internal network resources, cloud metadata endpoints, and protected network segments. The Desktop edition does not require authentication, while the Server edition requires standard authentication. TOCTOU is a race condition where a check is performed on a resource, and then the resource is used, but in the time between the check and the use, the resource has been modified by another process.

Recommendations Update Manager Desktop and Server to version 25.11.1.3086.

Fix

Time Of Check To Time Of Use

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-367CWE-918

Related Identifiers

CVE-2025-64180

GHSA-J2XJ-XHPH-P74J

Affected Products

Imanager

Manager Desktop

Server Manager

CVE-2025-64180

Weakness Enumeration

Related Identifiers

Affected Products

References · 12