Cyber Resilience

CVE-2025-64180

Critical

Published: 07 November 2025

Published
07 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0010 26.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64180 is a critical-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-64180 is a critical vulnerability in Manager-io/Manager accounting software, affecting Desktop and Server editions in versions 25.11.1.3085 and prior. The flaw stems from a fundamental design issue in the DNS validation mechanism, introducing a Time-of-Check Time-of-Use (TOCTOU) condition (CWE-367, CWE-918) that enables attackers to bypass network isolation controls. This permits unauthorized access to internal network resources, including internal services, cloud metadata endpoints, and protected network segments. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity with network accessibility, low complexity, no privileges or user interaction required, and scope change.

Attackers can exploit this vulnerability remotely over the network without authentication in the Desktop edition, or with only standard authentication in the Server edition. Successful exploitation allows bypassing intended network isolation, granting access to sensitive internal resources such as cloud metadata services and segmented network areas, potentially leading to high confidentiality, integrity, and availability impacts.

The GitHub security advisory at https://github.com/Manager-io/Manager/security/advisories/GHSA-j2xj-xhph-p74j confirms the issue and states it is fixed in version 25.11.1.3086. Security practitioners should urge users to update to this patched version immediately to mitigate the risk.

EU & UK References

Vulnerability details

Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access to internal network resources. The flaw lies in the fundamental design of the DNS validation mechanism. A Time-of-Check Time-of-Use (TOCTOU) condition…

more

that allows attackers to bypass network isolation and access internal services, cloud metadata endpoints, and protected network segments. The Desktop edition requires no authentication; the Server edition requires only standard authentication. This issue is fixed in version 25.11.1.3086.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

Remote network exploitation without authentication bypasses isolation to access internals (T1190); directly enables access to cloud metadata endpoints (T1522).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39361Shared CWE-918
CVE-2025-54122Shared CWE-918
CVE-2025-57822Shared CWE-918
CVE-2026-42281Shared CWE-918
CVE-2025-50180Shared CWE-918
CVE-2026-30242Shared CWE-918
CVE-2026-42595Shared CWE-918
CVE-2026-2286Shared CWE-918
CVE-2026-7412Shared CWE-918
CVE-2025-27501Shared CWE-918

Affected Assets

Server
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Requires timely flaw remediation by applying the vendor patch in version 25.11.1.3086, directly eliminating the TOCTOU condition in the DNS validation mechanism.

preventdetect

Monitors and controls communications at system boundaries to enforce network isolation, blocking unauthorized access to internal services and protected segments despite the DNS bypass.

prevent

Enforces approved information flow policies to mediate and restrict logical flows, preventing attackers from bypassing network isolation via the flawed DNS validation.

References