Manager-io Manager DNS Validation Vulnerability Allowing Unauthorized Internal Network Access

A critical vulnerability exists in Manager-io Manager accounting software, specifically in the Desktop and Server editions, versions through 25.10.31. The issue arises from a fundamental flaw in the DNS validation process, creating a Time-of-Check Time-of-Use (TOCTOU) condition. This vulnerability allows attackers to bypass network isolation and access internal services, cloud metadata endpoints, and protected network segments. The Desktop edition does not require authentication, while the Server edition only requires standard authentication.

Impact

Exploitation of this vulnerability allows for complete bypass of network isolation and firewall protections, enabling access to internal systems that should not be exposed to external networks. In cloud environments, it allows extraction of metadata from AWS, Google Cloud, and Azure, potentially exposing credentials and granting control over cloud resources. The vulnerability also transforms the application into a proxy for exploring internal networks and gathering sensitive information. In the Desktop edition, the lack of authentication further amplifies these impacts.

Reproduction

To reproduce this vulnerability, an attacker can set up a server that responds with 303 redirects to internal addresses. When Manager's proxy feature processes a request to this server, the initial DNS validation will succeed, but the subsequent redirect will bypass all protections. The same exploit tool created for CVE-2025-54122 can be used for this vulnerability with minor modifications.

Remediation

Users should update to version 25.11.1 or later, as this version removes the proxy feature that allows exploitation.