VYPR
Critical severity10.0OSV Advisory· Published Nov 7, 2025· Updated Apr 15, 2026

CVE-2025-64180

CVE-2025-64180

Description

Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access to internal network resources. The flaw lies in the fundamental design of the DNS validation mechanism. A Time-of-Check Time-of-Use (TOCTOU) condition that allows attackers to bypass network isolation and access internal services, cloud metadata endpoints, and protected network segments. The Desktop edition requires no authentication; the Server edition requires only standard authentication. This issue is fixed in version 25.11.1.3086.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Manager Io/ManagerOSV2 versions
    22.10.10.422, 22.10.21.442, 22.10.22.448, …+ 1 more
    • (no CPE)range: 22.10.10.422, 22.10.21.442, 22.10.22.448, …
    • (no CPE)range: <=25.11.1.3085

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.