ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Analysis Brief Reports
Docker Desktop Vulnerability: CVE-2025-9074
2025.09.29

✅ Report Title: Docker Desktop Vulnerability: CVE-2025-9074



✅ Executive Summary:


- On August 20, 2025, a vulnerability in Docker Desktop, tracked as CVE-2025-9074, was urgently patched.


- The vulnerability affects product versions earlier than 4.44.3 on both Windows and macOS.


- On August 20, 2025, the issue was published as CRITICAL with a CVSS 4.0 score of 9.3 and a patch was released.



📌 What caused the vulnerability?


- The vulnerability is a container escape that arises when the Docker Engine API is accessible from inside the container without authentication.


- An exploit payload sends requests to the Docker Engine API endpoints /containers/create and /containers/{id}/start including a bind mount configuration for a specific directory.


- If a top-level directory is mounted, the attacker can obtain access rights to all system files.



📌 What is the attack scenario?


- An attacker can directly access the Docker Engine API from inside a container and exploit the vulnerability.


- The API endpoint is exposed by default at http://192.168.65.7:2375 and accepts requests without authentication.


- Exploitation can occur both by executing malicious code inside the container and indirectly through an internal web application with an SSRF vulnerability.


- The SSRF attack path extends the attack surface by enabling exploitation even if the attacker lacks direct code execution inside the container.


- Potential impact on successful exploitation includes:

 - Unauthorized access to and manipulation of the host file system.

 - On Windows, overwriting or modifying system DLLs to achieve privilege escalation.

 - On macOS, while direct host privilege escalation is less likely, attackers can control Docker Desktop or modify Docker configuration files to install a persistent backdoor.

 - Full control of the Docker environment, including control of existing containers, creation of new containers, and image management.



✅ Recommended Threat Detection and Mitigation Actions:


- Although no confirmed exploitation cases have been observed, the vulnerability poses a risk to host systems and users should be advised to perform threat detection activities.


- Update threat detection rules and maintain continuous monitoring. Apply the latest patch as soon as possible.


- Install the security update for Docker Desktop

 - Upgrade to version 4.44.3 or later.


- If patching is not immediately possible, implement the following mitigations:

 - Detect abnormal TCP connection attempts to 192.168.65.7:2375.

 - Detect mounts that include host directories or unusual bind options.

 - Monitor for anomalous file access, such as unauthorized system file modifications.

 - Avoid use of the -privileged option.



🧑‍💻 Report Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact



*The full report is available upon request and for QUAXAR subscribers.


News Highlights
Weekly Darkweb in September W3
2025.09.24
Previous
News Highlights
Weekly Darkweb in September W4
2025.10.01
Next
List