CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Critical SSRF vulnerability in Docker Desktop for Windows and macOS

First reported
Last updated
πŸ“° 3 unique sources, 6 articles

Summary

Hide β–²

A critical server-side request forgery (SSRF) vulnerability in Docker Desktop for Windows and macOS allows attackers to hijack the host system by running malicious containers. The flaw, identified as CVE-2025-9074, has a severity rating of 9.3. It enables unauthorized access to user files on the host system, even with Enhanced Container Isolation (ECI) enabled. The vulnerability was discovered by security researcher Felix Boulet, who demonstrated a proof-of-concept exploit that does not require code execution rights inside the container. The flaw affects Docker Desktop on Windows and macOS but not the Linux version. Docker released a patch in version 4.44.3. The exploit can be triggered by a web request from any container to the Docker Engine API at 192.168.65.7:2375 without authentication. The exploit involves posting a JSON payload to /containers/create to bind the host C:\ drive to a folder in the container and using a startup command to access host files. The exploit can be initiated by posting to /containers/{id}/start to launch the container and start the execution. The vulnerability allows an attacker to proxy requests through the vulnerable application and reach the Docker socket, enabling various HTTP request methods depending on the SSRF flaw. The article further elaborates on the differences in impact between the Windows and macOS versions of Docker Desktop, noting that macOS has additional safeguards that mitigate the risk compared to Windows. The vulnerability allows attackers to control containers, mount the host’s file system, and escalate privileges to those of an administrator. On Windows, an attacker could exploit the flaw to mount the host’s file system and overwrite a system DLL to obtain administrative privileges on the host. The macOS version of the application can be exploited to take full control of other containers, or to backdoor the Docker app by mounting and modifying its configuration. A variant of a recently disclosed campaign abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs. The attack chain involves breaking into misconfigured Docker APIs to execute a new container based on the Alpine Docker image and mount the host file system into it. The threat actors run a Base64-encoded payload to download a shell script downloader from a .onion domain. The shell script alters SSH configurations to set up persistence and installs tools such as masscan, libpcap, libpcap-dev, zstd, and torsocks. The dropper launches Masscan to scan the internet for open Docker API services at port 2375 and propagate the infection. The binary includes checks for ports 23 (Telnet) and 9222 (remote debugging port for Chromium browsers) for potential future exploitation. The malware utilizes a Go library named chromedp to interact with the web browser and siphon cookies and other private data. The malware transmits details to an endpoint named "httpbot/add," indicating potential botnet activity. The attackers also block external access to the exposed Docker API by writing a command in the crontab file to create a cron job that executes every minute. The attackers deploy tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The attackers' scripts scan for two additional open ports, namely 23 (Telnet) and 9222 (remote debugging for Chromium browsers). The attackers use a modified Alpine Linux image that includes a base64-encoded shell command to execute the payload. The container executes the decoded shell command, which installs curl and tor, launches a Tor daemon in the background, and waits for the confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The docker-init.sh script enables persistent SSH access by appending an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem. The docker-init.sh script writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using whichever firewall utility is available. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it to /tmp/system, grants execute permissions, and runs it. The Go binary functions as a dropper, extracting and executing an embedded second-stage binary, and parses the host’s utmp file to identify logged-in users. The binary scans for other exposed Docker APIs, attempts to infect them via the same container creation method, and removes competitor containers after gaining access.

Timeline

  1. 09.09.2025 17:01 πŸ“° 2 articles Β· ⏱ 7d ago

    Threat actors block external access to exposed Docker APIs

    The attackers use a modified Alpine Linux image that includes a base64-encoded shell command to execute the payload. The container executes the decoded shell command, which installs curl and tor, launches a Tor daemon in the background, and waits for the confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The docker-init.sh script enables persistent SSH access by appending an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem. The docker-init.sh script writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using whichever firewall utility is available. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it to /tmp/system, grants execute permissions, and runs it. The Go binary functions as a dropper, extracting and executing an embedded second-stage binary, and parses the host’s utmp file to identify logged-in users. The binary scans for other exposed Docker APIs, attempts to infect them via the same container creation method, and removes competitor containers after gaining access.

    Show sources
  2. 09.09.2025 13:02 πŸ“° 2 articles Β· ⏱ 7d ago

    TOR-based cryptojacking campaign exploits Docker SSRF vulnerability

    The attackers use a modified Alpine Linux image that includes a base64-encoded shell command to execute the payload. The container executes the decoded shell command, which installs curl and tor, launches a Tor daemon in the background, and waits for the confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The docker-init.sh script enables persistent SSH access by appending an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem. The docker-init.sh script writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using whichever firewall utility is available. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it to /tmp/system, grants execute permissions, and runs it. The Go binary functions as a dropper, extracting and executing an embedded second-stage binary, and parses the host’s utmp file to identify logged-in users. The binary scans for other exposed Docker APIs, attempts to infect them via the same container creation method, and removes competitor containers after gaining access.

    Show sources
  3. 25.08.2025 18:11 πŸ“° 6 articles Β· ⏱ 22d ago

    Critical SSRF vulnerability in Docker Desktop for Windows and macOS disclosed

    The attackers use a modified Alpine Linux image that includes a base64-encoded shell command to execute the payload. The container executes the decoded shell command, which installs curl and tor, launches a Tor daemon in the background, and waits for the confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The docker-init.sh script enables persistent SSH access by appending an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem. The docker-init.sh script writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using whichever firewall utility is available. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it to /tmp/system, grants execute permissions, and runs it. The Go binary functions as a dropper, extracting and executing an embedded second-stage binary, and parses the host’s utmp file to identify logged-in users. The binary scans for other exposed Docker APIs, attempts to infect them via the same container creation method, and removes competitor containers after gaining access.

    Show sources

Information Snippets

Similar Happenings

Critical SAP NetWeaver vulnerabilities patched, including remote code execution flaw

SAP has fixed 21 vulnerabilities, including three critical flaws in its NetWeaver software. The most severe, CVE-2025-42944, is an insecure deserialization flaw allowing unauthenticated remote code execution. The second critical flaw, CVE-2025-42922, enables arbitrary file uploads by authenticated users. The third, CVE-2025-42958, allows unauthorized access to sensitive data and administrative functions. The vulnerabilities affect various SAP products, including ERP, CRM, SRM, and SCM, which are widely used in large enterprise networks. The flaws could lead to full system compromise and unauthorized data manipulation. SAP products are frequently targeted by threat actors due to their handling of mission-critical data. A high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916) could allow an attacker with high privilege access to delete the content of arbitrary database tables. A critical security defect in SAP S/4HANA (CVE-2025-42957) has come under active exploitation in the wild.

Ransomware Actor Linked to Play, RansomHub, and DragonForce Operations

A threat actor linked to multiple ransomware-as-a-service (RaaS) operations executed a sophisticated intrusion in September 2024. The attack began with a malicious file disguised as DeskSoft’s EarthTime application, deploying SectopRAT malware. The actor used various tools and techniques to gain persistence, escalate privileges, and exfiltrate data, ultimately preparing for ransomware deployment. The actor's toolset links them to Play, RansomHub, and DragonForce ransomware operations. The attack involved creating a new local admin account, deploying SystemBC, and using legitimate tools like PsExec and AdFind for discovery and privilege escalation. The actor also deployed Betruger, a versatile backdoor, and used multiple evasion techniques to avoid detection. The final stage involved archiving and exfiltrating data via FTP, though no ransomware was executed.

MostereRAT Malware Campaign Targets Japanese Windows Users

A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.

GhostAction GitHub supply chain attack compromises 3,325 secrets

A supply chain attack, dubbed GhostAction, compromised 3,325 secrets from GitHub repositories. The attack targeted maintainer accounts to inject malicious GitHub Actions workflows, exfiltrating secrets to an external domain. The campaign affected 817 repositories and multiple package ecosystems, including PyPI, npm, DockerHub, and AWS. The first signs of compromise were detected on September 2, 2025, with the full scope revealed on September 5, 2025. The exfiltration endpoint was taken down shortly after the campaign's discovery. The attack may lead to malicious package releases if compromised secrets are not revoked.

Supply Chain Attack on npm Packages with Billions of Weekly Downloads

A supply chain attack compromised multiple npm packages with over 2.6 billion weekly downloads. Attackers injected malicious code into these packages after hijacking a maintainer's account via phishing. The malware targets web-based cryptocurrency transactions, redirecting them to attacker-controlled wallets. The attack was detected and mitigated by the NPM team, who removed the malicious versions within two hours. The phishing campaign targeted multiple maintainers, using a fake domain to trick them into updating their 2FA credentials. The malicious code operates by hooking into JavaScript functions and wallet APIs, intercepting and altering cryptocurrency transactions. The attack impacts users who installed the compromised packages during a specific time window and have vulnerable dependencies. The attack targeted Josh Junon, also known as Qix, who received a phishing email mimicking npm. The phishing email prompted the maintainer to enter their username, password, and 2FA token, which were stolen via an adversary-in-the-middle (AitM) attack. The attack affected 20 packages, including ansi-regex, chalk, debug, and others, with over 2 billion weekly downloads. The malware intercepts cryptocurrency transaction requests by computing the Levenshtein distance to swap the destination wallet address. The payload hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs. The attack also compromised another maintainer, duckdb_admin, to distribute the same wallet-drainer malware. The affected packages from the second maintainer include @coveops/abi, @duckdb/duckdb-wasm, and prebid, among others. The attack impacted roughly 10% of all cloud environments. The attackers diverted five cents worth of ETH and $20 worth of a virtually unknown memecoin. The attacker’s wallet addresses holding significant amounts have been flagged, limiting their ability to convert or use the funds.