THREAT OVERVIEW

Docker has released a critical security update addressing CVE-2025-9074, Severity: Critical (CVSS 9.3) a container escape vulnerability in Docker Desktop. The flaw could allow a malicious container to access the Docker Engine API without authentication, enabling attackers to break out of containers and gain unauthorized access to the host system.

TECHNICAL DETAILS

• Vulnerability arises from unauthenticated access to the Docker Engine API (192.168.65.7:2375).

• Exploitation allows an attacker to:

o Mount the host C:\ drive (Windows) into a container.

o Access, read, or overwrite sensitive files on the host.

o Escalate privileges to administrator on Windows hosts.

• Proof-of-concept exploit:

o. Send POST /containers/create request with host drive mounted.

o. Send POST /containers/{id}/start to launch the container.

• On macOS, isolation is stronger, but attackers can still backdoor Docker configuration and maintain persistence.

• Linux not affected (uses named pipe instead of TCP socket).

• Attack vectors:

o Malicious container image (most likely).

o SSRF exploitation in applications exposing Docker APIs.

IMPACT

• Windows hosts: High risk of full system compromise.

• macOS hosts: Risk of Docker compromise and persistence.

• Linux hosts: Not affected.

MITIGATION & RECOMMENDATION

1. Update immediately to Docker Desktop v4.44.3 or later.

2. Restrict use of untrusted or third-party container images.

3. Review and monitor access to Docker APIs.

4. Apply strict network policies to prevent SSRF exploitation.

5. Regularly audit containers for suspicious activities.

CONCLUSION

CVE-2025-9074 highlights the risks of insecure Docker API exposure and the dangers of container breakout attacks. Organizations running Docker Desktop must patch urgently to avoid compromise of host systems, especially on Windows where the risk is most severe.

REFERENCE

o. The Hackers News
o. Bleeping Computer
o. Dockerdocs
o. SL-CSIRT