CyberHappenings logo
☰

Docker Desktop SSRF vulnerability allows host system access

First reported
Last updated
πŸ“° 3 unique sources, 3 articles

Summary

Hide β–²

A critical server-side request forgery (SSRF) vulnerability (CVE-2025-9074) in Docker Desktop for Windows and macOS allows attackers to compromise the host system by running malicious containers. The flaw bypasses Enhanced Container Isolation (ECI) protections, enabling unauthorized access to user files. The vulnerability was discovered by Felix Boulet and confirmed by Philippe Dugre. Docker has released a patch in version 4.44.3. The vulnerability allows attackers to access the Docker Engine API without authentication from within any running container. This can lead to the creation and execution of additional containers, potentially exposing sensitive data on the host system. The impact is more severe on Windows due to the lack of certain macOS safeguards. The flaw can also be exploited via a server-side request forgery (SSRF) flaw, allowing an attacker to proxy requests through the vulnerable application and reach the Docker socket. The vulnerability allows attackers to mount the host’s file system and modify it to escalate privileges to those of an administrator. The flaw can be triggered regardless of whether Enhanced Container Isolation (ECI) is enabled. The Docker Engine socket, which is the management API for Docker, should not be exposed to untrusted code or users, as it grants full access to everything the Docker application can do. On Windows, an attacker could exploit the flaw to mount the host’s file system and overwrite a system DLL to obtain administrative privileges on the host. On macOS, the Docker Desktop application still has a layer of isolation, and trying to mount a user directory prompts the user for permission. By default, the Docker application does not have access to the rest of the filesystem and does not run with administrative privileges. The vulnerability is easy to exploit, although it requires that the Docker engine runs on Windows or macOS and that the attacker has access to the socket. The attacker can use a malicious container to mount the attack or rely on a server-side request forgery (SSRF) attack, proxying requests through a vulnerable application.

Timeline

  1. 25.08.2025 18:11 πŸ“° 3 articles

    Docker Desktop SSRF vulnerability disclosed and patched

    A critical server-side request forgery (SSRF) vulnerability (CVE-2025-9074) in Docker Desktop for Windows and macOS was discovered by Felix Boulet. The flaw allows attackers to compromise the host system by running malicious containers, bypassing Enhanced Container Isolation (ECI) protections. Docker has released version 4.44.3 to address the vulnerability. The vulnerability can be exploited via a server-side request forgery (SSRF) flaw, allowing an attacker to proxy requests through the vulnerable application and reach the Docker socket. The Docker Engine API is accessible from any container without authentication. A proof-of-concept exploit involves binding the host C:\ drive to a container folder, enabling full compromise of the host. The impact is more severe on Windows due to the lack of certain macOS safeguards. The Linux version of Docker Desktop is not affected due to its use of a named pipe instead of a TCP socket for the Docker Engine API. The vulnerability allows attackers to mount the host’s file system and modify it to escalate privileges to those of an administrator. The flaw can be triggered regardless of whether Enhanced Container Isolation (ECI) is enabled. The Docker Engine socket, which is the management API for Docker, should not be exposed to untrusted code or users, as it grants full access to everything the Docker application can do. On Windows, an attacker could exploit the flaw to mount the host’s file system and overwrite a system DLL to obtain administrative privileges on the host. On macOS, the Docker Desktop application still has a layer of isolation, and trying to mount a user directory prompts the user for permission. By default, the Docker application does not have access to the rest of the filesystem and does not run with administrative privileges. The vulnerability is easy to exploit, although it requires that the Docker engine runs on Windows or macOS and that the attacker has access to the socket. The attacker can use a malicious container to mount the attack or rely on a server-side request forgery (SSRF) attack, proxying requests through a vulnerable application.

    Show sources

Information Snippets

Similar Happenings

TOR-based Cryptojacking Campaign Targets Misconfigured Docker APIs

A new variant of a TOR-based cryptojacking campaign targets misconfigured Docker APIs to propagate malware. The attack chain involves exploiting exposed Docker instances to deploy XMRig miners and reconnaissance tools. The malware also scans for additional ports and attempts to propagate via Telnet and Chromium remote debugging ports. The campaign may be setting up a complex botnet. The attack leverages Base64-encoded payloads and TOR domains for anonymity. It includes a dropper written in Go that parses user login information and uses Masscan for further propagation. The malware's source code includes an emoji, suggesting it may have been crafted using a large language model (LLM). The attackers mount the host root to the fresh container, allowing them to manipulate the host system and escape the container. The attackers modify the SSH configuration of the host system to elevate privileges and provide backdoor access. The attackers create a cron job that executes every minute to block access to the Docker API’s port 2375, denying other attackers future access to the exposed instance. The threat actors deploy tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The malware installs curl and tor, launches a Tor daemon, and waits for confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The malware appends an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem to enable persistent SSH access. The malware writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using available firewall utilities. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it, and runs it as a dropper. The Go binary parses the host’s utmp file to identify logged-in users. The malware attempts to infect other exposed Docker APIs and removes competitor containers after gaining access. The malware includes inactive logic for exploiting Telnet (port 23) using default router credentials and for interacting with Chrome’s remote debugging interface (port 9222). The malware's behavior suggests it is an initial version of a complex botnet with capabilities for lateral movement, persistence, and potential future expansion for credential theft and browser hijacking. The campaign highlights the importance of securing Docker APIs and segmenting networks to prevent such attacks.

CISA Adds Citrix and Git Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities affecting Citrix Session Recording and Git to the Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities are actively exploited in the wild. The flaws include improper privilege management, deserialization of untrusted data, and link following vulnerabilities. The affected products have patches available. Federal agencies must apply mitigations by September 15, 2025. The vulnerabilities are CVE-2024-8068, CVE-2024-8069, and CVE-2025-48384. The first two affect Citrix Session Recording, while the third impacts Git. The Citrix vulnerabilities allow for privilege escalation and limited remote code execution. The Git vulnerability enables arbitrary code execution. The Git flaw affects macOS and Linux systems, not Windows. The flaw in Git arises from inconsistent handling of carriage return (CR) characters in configuration files, leading to arbitrary code execution.

Critical Privilege Escalation and RCE Flaws Patched in Zoom and Xerox Products

Zoom and Xerox have released critical security updates to address vulnerabilities in their products. Zoom patched a privilege escalation flaw in Zoom Clients for Windows, while Xerox fixed multiple vulnerabilities in FreeFlow Core, including remote code execution (RCE) flaws. These updates address significant security risks that could allow unauthenticated users to execute arbitrary commands or escalate privileges. The vulnerabilities affect various versions of Zoom Workplace, Zoom Rooms, and Zoom Meeting SDK for Windows, as well as Xerox FreeFlow Core. The Zoom vulnerability, CVE-2025-49457, is an untrusted search path issue that could enable privilege escalation. The Xerox vulnerabilities include an XML External Entity (XXE) injection leading to server-side request forgery (SSRF) and a path traversal vulnerability leading to RCE. These flaws could allow attackers to execute arbitrary commands, steal sensitive data, or move laterally within a corporate network.

FortiSIEM OS Command Injection Vulnerability Exploited in the Wild

Fortinet has disclosed a critical OS command injection vulnerability (CVE-2025-25256) in FortiSIEM, with a CVSS score of 9.8. The flaw allows unauthenticated attackers to execute unauthorized code via crafted CLI requests. Exploit code for this vulnerability is actively being used in the wild. Affected versions include FortiSIEM 5.4 through 7.3.1, with specific upgrade paths recommended for mitigation. The vulnerability is linked to the phMonitor process, which listens on port 7900. It stems from inadequate sanitization of user inputs, allowing command injection through specially crafted XML payloads. Fortinet advises limiting access to port 7900 as a workaround. The disclosure follows a spike in brute-force traffic targeting Fortinet SSL VPN devices and FortiManager, with probes originating from multiple countries. Previous surges in similar activity were strongly correlated with vulnerability disclosures within six weeks.

Multiple vulnerabilities in CyberArk and HashiCorp Vaults enable remote takeover

Cybersecurity researchers discovered 14 vulnerabilities in CyberArk and HashiCorp products that allow remote attackers to bypass authentication, escalate privileges, and execute arbitrary code. These flaws, collectively named Vault Fault, affect CyberArk Secrets Manager, Self-Hosted, Conjur Open Source, and HashiCorp Vault. The vulnerabilities enable attackers to extract enterprise secrets and tokens without valid credentials. The vulnerabilities were disclosed in May 2025 and have since been patched in the latest versions of the affected products. The most severe issues allow for remote code execution and root token theft. The flaws include authentication bypasses, impersonation, privilege escalation bugs, and code execution pathways. Attackers can exploit these vulnerabilities to take over the vault and turn security features into ransomware vectors.