Design Flaw in Manager Accounting Software Allows Unauthorized Access
CVE-2025-64180

10CRITICAL

Key Information:

Vendor: Manager-io
Status: Manager
Vendor: CVE Published:; 7 November 2025

What is CVE-2025-64180?

A significant design flaw in Manager accounting software allows unauthorized access to internal network resources. Specifically, in the Desktop and Server editions, versions 25.11.1.3085 and below, a critical vulnerability arises from the DNS validation mechanism. This leads to a Time-of-Check Time-of-Use (TOCTOU) condition, giving attackers the ability to bypass network isolation and access sensitive internal services, including cloud metadata endpoints and protected segments. The ease of exploitation is heightened, as the Desktop edition does not require any authentication, while the Server edition only mandates standard authentication. The flaw has been addressed in version 25.11.1.3086, making it crucial for users to upgrade to ensure the security of their systems.

Affected Version(s)

Manager < 25.11.1.3086

References

https://github.com/Manager-io/Manager/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 7, 2025
Vulnerability Reserved
Oct 28, 2025

JSON