CRITICAL🇵🇱 Wersja polska

CVE-2025-64180

CVSS 10.0v3.1pub. 2025-11-07upd. 2026-04-15

Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access to internal network resources. The flaw lies in the fundamental design of the DNS validation mechanism. A Time-of-Check Time-of-Use (TOCTOU) condition that allows attackers to bypass network isolation and access internal services, cloud metadata endpoints, and protected network segments. The Desktop edition requires no authentication; the Server edition requires only standard authentication. This issue is fixed in version 25.11.1.3086.

🤖 AI Analysis
How it works

The vulnerability lies in a DNS validation mechanism that is susceptible to a Time-of-Check Time-of-Use (TOCTOU) attack — a classic race condition. An attacker can manipulate the DNS response between the moment of address verification and the moment of connection establishment, allowing network isolation to be bypassed (SSRF). This enables access to internal network services, cloud metadata endpoints (e.g., cloud metadata endpoints), and protected network segments. The Desktop version requires no authentication; the Server version requires only standard authentication.

Impact

An attacker can gain unauthorized access to internal network resources, protected network segments, and sensitive cloud metadata endpoints, which may lead to disclosure of confidential data, privilege escalation, or further infrastructure compromise.

Mitigation & patch

The Manager software must be immediately updated to version 25.11.1.3086, in which the bug has been fixed. Details are available in the vendor's references (GitHub Security Advisory).

Who is affected

Manager Desktop and Manager Server in versions 25.11.1.3085 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Race Condition
CWE
References