CVE-2025-64180CRITICAL 10.0EPSS p20.2%

CVE-2025-64180CVE-2025-64180

Description

Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access to internal network resources. The flaw lies in the fundamental design of the DNS validation mechanism. A Time-of-Check Time-of-Use (TOCTOU) condition that allows attackers to bypass network isolation and access internal services, cloud metadata endpoints, and protected network segments. The Desktop edition requires no authentication; the Server edition requires only standard authentication. This issue is fixed in version 25.11.1.3086.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.29% probability of exploitation · percentile 20.2% · 2026-06-18T12:00:27Z
Published2025-11-07
Last modified2026-04-15

Underlying weaknesses· 2

CWE-367CWE-918

References

  1. https://github.com/Manager-io/Manager/security/advisories/GHSA-j2xj-xhph-p74j

2

TypeTargetConfidenceTier
WeaknessTime-of-check Time-of-use (TOCTOU) Race Conditioncwe-3670%live
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-54122
CVE
CVE-2026-45647
CVE
CVE-2025-40664
CVE
CVE-2025-8025
CVE
CVE-2025-56447
CVE
CVE-2025-3886
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.