Docker Desktop SSRF host-compromise flaw (CVE-2025-9074)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-9074 affects Docker Desktop for Windows and macOS and lets a malicious container reach the Docker Engine API, compromise the host, and potentially access user files even with Enhanced Container Isolation (ECI) enabled. The flaw is a server-side request forgery (SSRF) rated 9.3 critical and is exploitable from inside a running container without mounting the Docker socket. Docker has already addressed the issue in Docker Desktop 4.44.3.
Related Happenings
Docker expands Hardened Images catalog access with near-zero-CVE subscriptions
Security Tool/Service
First: 08.10.2025 01:09
Last: 08.10.2025 01:09
Sources 1
About this happening:
Docker expanded **Hardened Images** access with a **30-day free trial** and subscription use for all users, making secure container images more accessible to **startups and SMBs**...
Docker expands Hardened Images catalog access with near-zero-CVE subscriptions
Security Tool/ServiceAbout this happening: Docker expanded **Hardened Images** access with a **30-day free trial** and subscription use for all users, making secure container images more accessible to **startups and SMBs**...
Exposed Docker API malware botnet-building tooling
Malware Activity
First: 09.09.2025 22:16
Last: 09.09.2025 22:16
Sources 1
About this happening:
Updated **malware** targeting **exposed Docker APIs** now **self-replicates**, establishes **persistent SSH access**, and **blocks port 2375**, raising the risk of a durable botne...
Exposed Docker API malware botnet-building tooling
Malware ActivityAbout this happening: Updated **malware** targeting **exposed Docker APIs** now **self-replicates**, establishes **persistent SSH access**, and **blocks port 2375**, raising the risk of a durable botne...
Exposed Docker API XMRig miner dropper
Malware Activity
First: 09.09.2025 17:01
Last: 09.09.2025 17:01
Sources 1
About this happening:
A **binary dropper** carrying **XMRig** was deployed through **exposed Docker APIs**, turning compromised containers into cryptocurrency-mining infrastructure and increasing the r...
Exposed Docker API XMRig miner dropper
Malware ActivityAbout this happening: A **binary dropper** carrying **XMRig** was deployed through **exposed Docker APIs**, turning compromised containers into cryptocurrency-mining infrastructure and increasing the r...
TOR-based cryptojacking campaign targeting exposed Docker APIs
Campaign
First: 09.09.2025 13:02
Last: 09.09.2025 13:02
Sources 1
About this happening:
A **TOR-based cryptojacking campaign** is abusing **misconfigured Docker APIs** to launch containers, drop a downloader/miner chain, and spread to additional exposed hosts. The op...
TOR-based cryptojacking campaign targeting exposed Docker APIs
CampaignAbout this happening: A **TOR-based cryptojacking campaign** is abusing **misconfigured Docker APIs** to launch containers, drop a downloader/miner chain, and spread to additional exposed hosts. The op...
Latest development: 09.09.2025 22:16
Akamai warned on September 8, 2025 that a new exposed-Docker-API campaign variation blocks external access to compromised Docker APIs and appears to be an initial version of a complex botnet. The tooling downloads system-linux-ARCH.zst over Tor, decompresses it to /tmp/system, persists access by appending an attacker key to /root/.ssh/authorized_keys, and installs masscan, zstd, libpcap, and torsocks for scanning, propagation, and evasion. The payload also contains dormant logic for Telnet exploitation using default router credentials and interaction with Chrome’s remote debugging interface.
Timeline
-
25.08.2025 18:11 2 articles · 9mo ago
Docker Desktop CVE-2025-9074 disclosure and remediation
Initial DisclosureA critical SSRF in Docker Desktop for Windows and macOS, tracked as CVE-2025-9074 and rated 9.3, was disclosed as allowing a malicious container to reach the Docker Engine API at http://192.168.65.7:2375/, launch additional containers, and potentially access host files even with Enhanced Container Isolation (ECI) enabled. Felix Boulet demonstrated the issue with a proof-of-concept that used two wget HTTP POST requests and did not require code execution inside the container, while Philippe Dugre confirmed Windows and macOS impact and noted Linux was not affected. Docker responded quickly and released Docker Desktop 4.44.3 as the fix.
Show sources
- Critical Docker Desktop flaw lets attackers hijack Windows hosts — www.bleepingcomputer.com — 25.08.2025 18:11
- Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3 — thehackernews.com — 25.08.2025 20:53
-
25.08.2025 18:11 2 articles · 9mo ago
Docker Desktop CVE-2025-9074 disclosure and remediation
Initial DisclosureA critical SSRF in Docker Desktop for Windows and macOS, tracked as CVE-2025-9074 and rated 9.3, was disclosed as allowing a malicious container to reach the Docker Engine API at http://192.168.65.7:2375/, launch additional containers, and potentially access host files even with Enhanced Container Isolation (ECI) enabled. Felix Boulet demonstrated the issue with a proof-of-concept that used two wget HTTP POST requests and did not require code execution inside the container, while Philippe Dugre confirmed Windows and macOS impact and noted Linux was not affected. Docker responded quickly and released Docker Desktop 4.44.3 as the fix.
Show sources
- Critical Docker Desktop flaw lets attackers hijack Windows hosts — www.bleepingcomputer.com — 25.08.2025 18:11
- Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3 — thehackernews.com — 25.08.2025 20:53