Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager Desktop and Server edition versions up to and including 25.7.18.2519. This vulnerability allows an unauthenticated attacker to bypass network isolation and access restrictions, potentially enabling access to internal services, cloud metadata endpoints, and exfiltration of sensitive data from isolated network segments. This vulnerability is fixed in version 25.7.21.2525.
The vulnerability (CWE-918) is located in the proxy handler component of the Manager application. An unauthenticated attacker can send crafted HTTP requests that the server executes on behalf of the attacker in the context of the internal network. This allows querying resources that are not directly accessible from the Internet, such as internal network services or cloud environment metadata endpoints. The lack of an authentication mechanism on this component makes the exploit possible without possessing any credentials.
An attacker can gain unauthorized access to internal network services, cloud metadata endpoints (e.g., AWS/GCP/Azure IMDSv1), and exfiltrate sensitive data from isolated network segments, which may lead to complete compromise of infrastructure confidentiality.
The Manager software should be updated to version 25.7.21.2525 or later, where the vulnerability has been removed. The patch is available from the vendor. Until the update is applied, it is recommended to restrict network access to the Manager instance only to trusted hosts and block access to cloud metadata endpoints at the firewall level.
Manager Desktop and Manager Server in versions up to and including 25.7.18.2519
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H