CVE-2025-64180
Published: 07 November 2025
Summary
CVE-2025-64180 is a critical-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2025-64180 is a critical vulnerability in Manager-io/Manager accounting software, affecting Desktop and Server editions in versions 25.11.1.3085 and prior. The flaw stems from a fundamental design issue in the DNS validation mechanism, introducing a Time-of-Check Time-of-Use (TOCTOU) condition (CWE-367, CWE-918) that enables attackers to bypass network isolation controls. This permits unauthorized access to internal network resources, including internal services, cloud metadata endpoints, and protected network segments. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity with network accessibility, low complexity, no privileges or user interaction required, and scope change.
Attackers can exploit this vulnerability remotely over the network without authentication in the Desktop edition, or with only standard authentication in the Server edition. Successful exploitation allows bypassing intended network isolation, granting access to sensitive internal resources such as cloud metadata services and segmented network areas, potentially leading to high confidentiality, integrity, and availability impacts.
The GitHub security advisory at https://github.com/Manager-io/Manager/security/advisories/GHSA-j2xj-xhph-p74j confirms the issue and states it is fixed in version 25.11.1.3086. Security practitioners should urge users to update to this patched version immediately to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-38234
Vulnerability details
Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access to internal network resources. The flaw lies in the fundamental design of the DNS validation mechanism. A Time-of-Check Time-of-Use (TOCTOU) condition…
more
that allows attackers to bypass network isolation and access internal services, cloud metadata endpoints, and protected network segments. The Desktop edition requires no authentication; the Server edition requires only standard authentication. This issue is fixed in version 25.11.1.3086.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation without authentication bypasses isolation to access internals (T1190); directly enables access to cloud metadata endpoints (T1522).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely flaw remediation by applying the vendor patch in version 25.11.1.3086, directly eliminating the TOCTOU condition in the DNS validation mechanism.
Monitors and controls communications at system boundaries to enforce network isolation, blocking unauthorized access to internal services and protected segments despite the DNS bypass.
Enforces approved information flow policies to mediate and restrict logical flows, preventing attackers from bypassing network isolation via the flawed DNS validation.