Platform
other
Component
manager
Fixed in
25.11.2
CVE-2025-64180 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting Manager-io Manager versions up to 25.11.1.3085. This flaw allows attackers to bypass network isolation and potentially access sensitive internal resources, including cloud metadata endpoints. The vulnerability is fixed in version 25.11.1.3086, and users are strongly advised to upgrade immediately.
The SSRF vulnerability in Manager-io Manager poses a significant threat due to its ease of exploitation and potential impact. An attacker can leverage this flaw to access internal network services that are otherwise protected. In the Desktop edition, no authentication is required, making it particularly accessible. The Server edition requires standard authentication, but the impact remains severe as it allows access to internal resources. This could lead to data exfiltration, privilege escalation, and potentially complete compromise of the system. Attackers could also access cloud metadata, exposing sensitive credentials and configuration information. The lack of robust DNS validation contributes to the vulnerability's severity.
CVE-2025-64180 has been publicly disclosed on 2025-11-07. The vulnerability's simplicity and the lack of authentication requirements in the Desktop edition suggest a potential for widespread exploitation. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation increases the likelihood of such a PoC emerging. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64180 is to upgrade Manager-io Manager to version 25.11.1.3086 or later. Before upgrading, it's crucial to back up your Manager-io database to facilitate a rollback if necessary. While a direct fix is available, consider implementing network segmentation to limit the blast radius of a potential exploit. WAF rules can be configured to block suspicious outbound requests, but this is not a substitute for patching. Monitor network traffic for unusual outbound connections originating from the Manager-io server. After upgrading, confirm the fix by attempting to access internal resources via Manager-io and verifying that access is denied.
Update Manager Desktop or Server to version 25.11.1.3086 or higher. This update corrects the SSRF (Server-Side Request Forgery) vulnerability that allows unauthorized access to internal network resources. The update mitigates the risk of TOCTOU (Time-of-Check Time-of-Use) exploitation in DNS validation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64180 is a critical SSRF vulnerability in Manager-io Manager versions up to 25.11.1.3085, allowing attackers to access internal network resources.
If you are using Manager-io Manager versions 25.11.1.3085 or earlier, you are affected by this vulnerability.
Upgrade Manager-io Manager to version 25.11.1.3086 or later to address this SSRF vulnerability.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a potential for exploitation.
Refer to the official Manager-io advisory for detailed information and updates regarding CVE-2025-64180.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.