On August 20, 2025, Docker released an urgent patch for CVE-2025-9074, a critical Server-Side Request Forgery (SSRF) vulnerability (CVSS 9.3) affecting Docker Desktop for Windows and macOS. The flaw allows a malicious container to access the Docker Engine API via the internal subnet (192.168.65.7:2375), bypassing isolation without requiring the Docker socket to be mounted.
If exploited, attackers can launch arbitrary workloads, steal host data, and in Windows environments escalate privileges to full system compromise. Linux is not impacted due to its reliance on Unix sockets rather than an exposed TCP endpoint.
Key Details
- Vulnerability ID: CVE-2025-9074
- Severity: Critical (CVSS 9.3)
- Attack Vector: Container escape via SSRF to the Docker Engine API.
- Impact:
- Windows (WSL2 backend): Attackers can mount the full host filesystem, overwrite DLLs, and escalate to administrator.
- macOS: Sandbox and permissions reduce impact, but attackers can still hijack the Docker application, backdoor configuration files, and control containers.
- Not Mitigated by ECI: Docker confirmed that Enhanced Container Isolation (ECI) does not block this vulnerability.
Affected Versions and Patch
All versions of Docker Desktop for Windows and macOS prior to 4.44.3 are affected.
There are no effective workarounds. Disabling the Docker daemon’s TCP exposure or enabling ECI does not prevent exploitation.
The only reliable remediation is to upgrade immediately to version 4.44.3 or later.
Exploitation Path and Defensive Focus
Security researchers have already demonstrated working exploits. By sending crafted requests to the Docker API, attackers can mount host drives, exfiltrate sensitive data, or, in Windows cases, overwrite key system files.
This turns a seemingly isolated developer workload into a direct path to host compromise and makes Docker Desktop a high-value pivot point in supply chain and insider attacks.
The attack chain could look something like this:
- Initial foothold
A malicious container is executed (via a poisoned Docker Hub image, CI/CD injection, or insider action).
Defensive focus: Enforce trusted image sources and scan containers before they run. - Reach the Docker Engine API
From inside the container, the attacker sends HTTP requests to 192.168.65.7:2375.
Defensive focus: After patching, block or alert on any container traffic to 192.168.65.7:2375. Add host firewall rules on the Docker/WSL interface and baseline new egress from dev containers. - Abuse the API to mount the host
The attacker issues a POST /containers/create to bind host drives into the container.
Defensive focus: Monitor for unusual broad bind mounts (entire C:\ or /Users) and short-lived container activity. - Harvest and escalate
With access to the mounted host, the attacker steals credentials, source code, or in Windows overwrites DLLs to escalate to administrator.
Defensive focus: Monitor for suspicious file writes in protected paths and unexpected access to credential stores. - Persistence and pivoting
The attacker implants backdoors into Docker Desktop or leverages stolen tokens to move into cloud, Git, or CI/CD environments.
Defensive focus: Audit Docker Desktop configs, detect unauthorized auto-restarting containers, and rotate/monitor developer credentials for abnormal logins.
Stay Safe. Stay Secure.
OP Innovate Research Team
