top of page

Critical Docker Desktop Vulnerability (CVE-2025-9074) Enables Host Access and Container Takeover

August 27th, 2025

Critical

Our Cyber Threat Intelligence has been monitoring a critical vulnerability (CVE-2025-9074, CVSS score of 9.3) in Docker Desktop for Windows and macOS. It allows a malicious container to access the Docker Engine HTTP API on the Desktop VM (default 192.168.65.7:2375) without authentication, enabling container control and, in some cases, access to host files. CVE-2025-9074 impacts Docker Desktop on both Windows and macOS. However, for Windows, the risk is more severe as this vulnerability can expose the host file system. Even with Enhanced Container Isolation (ECI) enabled this vulnerability remains exploitable. Docker has issued a patch in Docker Desktop version 4.44.3, and all users are encouraged to update to this version immediately.

Technical Details

  • Severity: Critical (CVSS v4.0: 9.3)

  • Vulnerability Type: CWE-668 — Exposure of Resource to Wrong Sphere (unauthorized reachability of a privileged local API)

  • CVE: CVE-2025-9074

  • Components Affected: Docker Desktop for Windows and macOS (Desktop VM’s Docker Engine HTTP API at http://192.168.65.7:2375). Desktop for Linux is not impacted in the same way.

Attack Chain / Method

  • Initial Condition: A malicious or compromised local container is running on Docker Desktop (e.g., developer pulls/executes untrusted code). In some scenarios, a workload-internal SSRF can also relay requests to the Engine API.

  • Exploitation: From inside the container, the attacker sends HTTP requests to the Docker Engine API exposed on the Desktop VM at 192.168.65.7:2375 — no socket mount and no auth required. This exposure exists regardless of whether Enhanced Container Isolation (ECI) is enabled and whether the “Expose daemon on tcp://localhost:2375 without TLS” option is selected.

  • Post Exploitation and Persistence: Windows systems are at higher risk because Docker Desktop uses WSL2, allowing attackers to mount broad host paths and sometimes overwrite system DLLs to gain administrator privileges. macOS prompts restrict direct user-directory mounts, but an attacker controlling the Desktop/Engine environment can still backdoor the app or change its configuration. The attacker can execute the following over the API:

    • POST /containers/create — create a new container, optionally bind-mounting host paths (e.g., C:\ on Windows).

    • POST /containers/{id}/start — run it to access files or run follow-on tooling.

  • Mitigation Status: Fixed in Docker Desktop 4.44.3; vendor notes explicitly that ECI does not mitigate this CVE.

Image by ThisisEngineering

Impact

  • Unauthorized access to host files (notably on Windows/WSL2), enabling data theft or modification.

  • Full container lifecycle control: create/start/stop containers, tamper with images, potentially establishing persistence within the Desktop environment.

  • Operational risk: service disruption from unauthorized container activity (organizational inference consistent with the control gained).

Detection Method

  • Monitor access attempts to the Docker Engine API (http://192[.]168[.]65[.]7:2375/).

  • Look for /containers/create and /containers/{id}/start calls initiated from within containers.

  • Flag sudden container runs that bind host paths (e.g., C:\ on Windows) or atypical wide host mounts.

  • Track deviations from regular container activity.

  • If web apps run inside containers, look for SSRF patterns that relay POST requests to the Engine API.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Patch Immediately: Upgrade Docker Desktop to 4.44.3 on Windows/macOS.

  • Harden Engine API exposure: Ensure the Engine API is not reachable from untrusted contexts; restrict Desktop networks and enforce OS-level firewall policies around the Desktop VM, and disable the “Expose daemon on tcp://localhost:2375 without TLS” option.

  • Reduce blast radius: Avoid running untrusted containers; apply least-privilege policies for developers using Desktop.

  • Monitoring: Implement the Detection Method controls; log and alert on Engine API calls from containers and on suspicious host volume mounts.

  • General hygiene: Keep Docker Desktop and dependencies current; review Desktop settings post-upgrade.

Conclusion

CVE-2025-9074 is a critical, desktop-specific vulnerability that allows a local container to become a control plane for the Docker Engine, enabling container orchestration and potentially granting access to host files. Its ease of exploitation, requiring only a few lines of Python, greatly increases the risk. We urge organizations to upgrade to Docker Desktop 4.44.3, enforce strict access controls on the Docker Engine API, and continuously monitor container activity for irregularities. Proactive patching and vigilant monitoring are essential for mitigating the risks associated with this vulnerability.

bottom of page