CVE-2025-9074

Description

A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. This vulnerability occurs with or without Enhanced Container Isolation (ECI) enabled, and with or without the "Expose daemon on tcp://localhost:2375 without TLS" option enabled. This can lead to execution of a wide range of privileged commands to the engine API, including controlling other containers, creating new ones, managing images etc. In some circumstances (e.g. Docker Desktop for Windows with WSL backend) it also allows mounting the host drive with the same privileges as the user running Docker Desktop.

Weakness Type (CWE)

CWE-668 CWE-668

References

Other References

https://docs.docker.com/desktop/release-notes/#4443 https://blog.qwertysecurity.com/Articles/blog3.html https://pvotal.tech/breaking-dockers-isolation-using-docker-cve-2025-9074/ https://www.bleepingcomputer.com/news/security/critical-docker-desktop-flaw-lets-attackers-hijack-windows-hosts/ https://www.vicarius.io/vsociety/posts/cve-2025-9074-detect-docker-desktop-vulnerability https://www.vicarius.io/vsociety/posts/cve-2025-9074-mitigate-docker-desktop-vulnerability https://blog.qwertysecurity.com/Articles/blog3 https://pvotal.tech/breaking-dockers-isolation-using-docker-cve-2025-9074/

Frequently Asked Questions

What is CVE-2025-9074? +

A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. This vulnerability occurs with or without Enhanced Container Isolation (ECI) enabled, and with or without the "Expose daemon on tcp://localhost:2375 without TLS" option enabled. This can lead to execution of a wide range of privileged commands to the engine API, including controlling other containers, creating new ones, managing images etc. In some circumstances (e.g. Docker Desktop for Windows with WSL backend) it also allows mounting the host drive with the same privileges as the user running Docker Desktop.

How do I check if I'm vulnerable to CVE-2025-9074? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-46723

The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission …

CVE-2025-23205

nbgrader is a system for assigning and grading notebooks. Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract …

CVE-2026-42875

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, …

CVE-2026-34094

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Page/Article.Php. This issue affects MediaWiki: from * before …

CVE-2025-54502

Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with …

CVE-2025-32428

Jupyter Remote Desktop Proxy allows you to run a Linux Desktop on a JupyterHub. jupyter-remote-desktop-proxy was meant to rely on …