Week 49 – Slipping In Before the Doors Close

1 – 7 Dec 2025

Critical vulnerability has been found with the CVSS score of 10 in Manager-io/Manager, which is an accounting software. CVE-2025-64180 is the vulnerability of this week.

In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access to internal network resources.

The flaw lies in the fundamental design of the DNS validation mechanism.
A Time-of-Check Time-of-Use (TOCTOU) condition has a short timeframe when the attacker could exploit to bypass network isolation and access internal services, cloud metadata endpoints, and protected network segments. The method is quite simple: the attacker provides a URL to a server under their control, the domain in the URL is checked and validated. If the attacker’s webserver is configured to redirect POST requests to an internal address, the HTTP client follows this redirect, despite the redirect address being internal and would not pass the domain validation. The response is then sent to the attackers, which might contain sensitive data.

The Desktop edition requires no authentication, which means that anyone from anywhere with zero permission could initiate the attack.
The Server edition requires only standard authentication, so anyone who can login has access to the sensitive resources.

How can we protect ourselves? ️Make sure to update to version 25.11.1.3086.

For more information:
https://www.cvedetails.com/cve/CVE-2025-64180/
https://github.com/Manager-io/Manager/security/advisories/GHSA-j2xj-xhph-p74j

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.