CVE-2025-54122
Published: 21 July 2025
Summary
CVE-2025-54122 is a critical-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the SSRF vulnerability by requiring timely patching to the fixed version 25.7.21.2525 as specified in the advisory.
Validates inputs to the vulnerable proxy handler to block crafted requests that trigger SSRF exploitation.
Enforces information flow policies to restrict the proxy handler from accessing unauthorized internal services, cloud metadata, or isolated network segments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vuln in public-facing app directly enables remote exploitation (T1190) and access to cloud metadata endpoints for credential theft (T1552.005).
NVD Description
Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager Desktop and Server edition versions up to and including 25.7.18.2519. This vulnerability allows an unauthenticated…
more
attacker to bypass network isolation and access restrictions, potentially enabling access to internal services, cloud metadata endpoints, and exfiltration of sensitive data from isolated network segments. This vulnerability is fixed in version 25.7.21.2525.
Deeper analysisAI
CVE-2025-54122 is a critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, in the proxy handler component of Manager-io/Manager accounting software. It affects both Desktop and Server editions up to and including version 25.7.18.2519. The issue, published on 2025-07-21, carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), reflecting its severe potential for remote exploitation without authentication or user interaction.
An unauthenticated attacker can exploit this vulnerability over the network by sending crafted requests to the vulnerable proxy handler. Successful exploitation allows bypassing network isolation and access restrictions, enabling read access to internal services, cloud metadata endpoints, and exfiltration of sensitive data from isolated network segments.
The GitHub security advisory at https://github.com/Manager-io/Manager/security/advisories/GHSA-347w-cgwh-m895 confirms the vulnerability and states it is fixed in version 25.7.21.2525. Security practitioners should upgrade to this patched version immediately and review network configurations to limit exposure of affected Manager instances.
Details
- CWE(s)