CVE-2025-64180

CVE-2025-64180 is a critical vulnerability in Manager-io/Manager accounting software, affecting Desktop and Server editions in versions 25.11.1.3085 and prior. The flaw stems from a fundamental design issue in the DNS validation mechanism, introducing a Time-of-Check Time-of-Use (TOCTOU) condition (CWE-367, CWE-918) that enables attackers to bypass network isolation controls. This permits unauthorized access to internal network resources, including internal services, cloud metadata endpoints, and protected network segments. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity with network accessibility, low complexity, no privileges or user interaction required, and scope change.

Attackers can exploit this vulnerability remotely over the network without authentication in the Desktop edition, or with only standard authentication in the Server edition. Successful exploitation allows bypassing intended network isolation, granting access to sensitive internal resources such as cloud metadata services and segmented network areas, potentially leading to high confidentiality, integrity, and availability impacts.

The GitHub security advisory at https://github.com/Manager-io/Manager/security/advisories/GHSA-j2xj-xhph-p74j confirms the issue and states it is fixed in version 25.11.1.3086. Security practitioners should urge users to update to this patched version immediately to mitigate the risk.