Docker has patched a critical hole in Docker Desktop that let a container break out and take control of the host machine with laughable ease.
The bug, tracked as CVE-2025-9074 and scoring 9.3 on the CVSS scale, left Docker’s internal Engine API wide open on “192.168.65.7:2375.” Any container could talk to it without authentication, which meant mounting drives and messing with system files was only a couple of HTTP requests away. On Windows, where Docker Desktop leans on WSL2, that translates into full read-write access to the C: drive and a clear path to administrator rights.
On Windows, by contrast, nothing stops a hostile container mounting the system drive
“A malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted,” reads Docker’s bulletin. “This could allow unauthorized access to user files on the host system.”
The bug was discovered by security researcher Felix Boulet, who says he stumbled on the vulnerability “by mistake” when scanning his container’s environment, while Philippe Dugre, a researcher at PVOTAL Technologies, showed just how trivial the flaw was to abuse.
“For my macOS proof of concept, I only needed three lines of Python code,” he noted. Mac users receive a prompt when a container tries to mount a directory, and the app itself doesn’t run with elevated privileges, but a determined attacker could still fiddle with Docker’s configuration and slip a backdoor onto the host.
On Windows, by contrast, nothing stops a hostile container mounting the system drive. With that level of access, attackers could rummage through files, drop malicious binaries, and overwrite DLLs. Once done, the container would have broken the whole point of Docker: isolation.
“On Windows, since the Docker Engine runs via WSL2, the attacker can mount as an administrator the entire file system, read any sensitive file, and ultimately overwrite a system DLL to escalate the attacker to administrator of the host system,” Dugre said.
Linux users can relax: this mess doesn’t affect Docker Engine on bare-metal Linux, which uses a local Unix socket rather than a TCP endpoint. The bug was limited to Desktop builds for Windows and macOS.
Docker has now released version 4.44.3, which closes the exposed API and warns that Enhanced Container Isolation does nothing to prevent this particular cock-up. If you thought ECI was your safety net, think again.
It’s another reminder that the weakest point in the chain often isn’t an exotic memory corruption bug but a misplaced assumption. In this case, Docker Desktop shipped with a wide-open management port, leaving Windows users especially exposed to containers that could step straight through the supposedly solid isolation barrier.
Admins should install the update without delay. Otherwise, that container you pulled from some dodgy registry could end up owning your host with just a few lines of code. ®
Source link
