Critical Manager.io Flaw (CVE-2025-54122, CVSS 10.0) Allows Unauthenticated SSRF & Cloud Takeover

A newly disclosed critical vulnerability in Manager.io, a free accounting software used by businesses across Australia and New Zealand, poses a severe threat to network security and cloud environments. Identified as CVE-2025-54122, the flaw allows unauthenticated Server-Side Request Forgery (SSRF), with a CVSS score of 10, the highest possible severity rating.

The vulnerability impacts Manager Desktop and Server editions up to version 25.7.18.2519, and has been responsibly disclosed by Krishna Agarwal (@Kr1shna4garwal).

“This vulnerability allows an unauthenticated attacker to bypass network isolation and access restrictions, potentially enabling access to internal services, cloud metadata endpoints, and exfiltration of sensitive data from isolated network segments,” according to the official advisory.

The flaw resides in Manager’s proxy handler component, which mishandles crafted payloads that include redirection logic. By sending a specially formed POST request to the proxy endpoint, an attacker can:

• Trigger automatic redirection to internal addresses such as http://localhost:80/admin or http://169.254.169.254/latest/meta-data/
• Convert the original POST request to a GET, bypassing endpoint protections
• Receive sensitive content from internal or cloud metadata services

“This mechanism bypasses POST-only restrictions and allows for arbitrary GET requests to internal resources,” the advisory states.

The danger is particularly stark in cloud-hosted environments like AWS, Google Cloud, and Azure, where attackers can exploit this flaw to extract IAM credentials, temporary tokens, and configuration files—often the keys to complete cloud takeover.

To demonstrate the issue, researchers developed a Python-based tool that crafts the malicious protobuf message and automates the entire SSRF chain.

“The Manager application’s proxy component automatically follows this redirect, converting the request method from POST to GET, and fetches the content from the internal target, returning it in the response to the attacker,” the advisory confirms.

This full-read SSRF means that firewalls, NAT configurations, and zero-trust policies are rendered ineffective, as the requests originate from the trusted Manager server itself.

Users are strongly urged to upgrade immediately to the patched version 25.7.21.2525, which addresses the vulnerability and enhances internal request validation.

Related Posts:

• Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
• Apache HTTP Server 2.4.64 Released: Patches 8 Vulnerabilities, Including HTTP Splitting, SSRF & DoS
• Nvidia’s internal systems were attacked by hackers