The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-9074

CVE-2025-9074: Docker Desktop Privilege Escalation Flaw

CVE-2025-9074 is a privilege escalation vulnerability in Docker Desktop allowing local containers to access the Docker Engine API. This flaw enables attackers to execute privileged commands and control containers.

Published: March 11, 2026

CVE-2025-9074 Overview

A critical vulnerability has been identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet at 192.168.65.7:2375 by default. This exposure occurs regardless of whether Enhanced Container Isolation (ECI) is enabled and persists even when the "Expose daemon on tcp://localhost:2375 without TLS" option is disabled.

This vulnerability enables attackers to execute a wide range of privileged commands to the engine API, including controlling other containers, creating new ones, and managing images. On Docker Desktop for Windows with the WSL backend, the vulnerability additionally allows mounting the host drive with the same privileges as the user running Docker Desktop, potentially leading to complete host compromise.

Critical Impact

Attackers operating from within a container can escape isolation to gain full control over the Docker environment and potentially compromise the underlying host system, including access to sensitive files and the ability to launch arbitrary containers.

Affected Products

  • Docker Desktop (all platforms)
  • Docker Desktop for Windows with WSL backend
  • Docker Desktop for Mac

Discovery Timeline

  • 2025-08-20 - CVE-2025-9074 published to NVD
  • 2025-09-25 - Last updated in NVD database

Technical Details for CVE-2025-9074

Vulnerability Analysis

This vulnerability represents a significant container isolation bypass in Docker Desktop. The fundamental issue stems from improper exposure of the Docker Engine API endpoint to containers running on the internal Docker network subnet. By design, containers should be isolated from the Docker management plane, but this vulnerability creates an unintended communication path that breaks this isolation boundary.

The vulnerability is classified under CWE-668 (Exposure of Resource to Wrong Sphere), which accurately describes how the Docker Engine API—a highly privileged interface intended only for administrative access—becomes accessible to untrusted container workloads. The attack surface is particularly concerning because it bypasses security controls that administrators typically rely upon, including Enhanced Container Isolation.

Root Cause

The root cause lies in the network configuration of Docker Desktop's internal architecture. The Docker Engine API is inadvertently bound to an interface accessible from the container network subnet (192.168.65.0/24 by default). This binding persists across multiple security configurations, indicating a fundamental design issue in how the API endpoint is exposed within the Docker Desktop networking stack.

The exposure occurs at 192.168.65.7:2375, which is reachable from any container running on the default Docker bridge network. This configuration error allows containers to communicate with the Docker daemon as if they were a privileged management client.

Attack Vector

An attacker with the ability to execute code within a container can exploit this vulnerability through the following attack pattern:

  1. From within a compromised or malicious container, the attacker identifies the Docker Engine API endpoint on the internal subnet
  2. The attacker sends unauthenticated API requests to 192.168.65.7:2375
  3. Using the Docker API, the attacker can enumerate running containers, create new privileged containers, or mount host filesystems
  4. On Windows with WSL backend, the attacker can mount the host drive (typically C:) with user-level privileges

The attack requires no authentication as the API endpoint lacks TLS or credential verification in this exposure scenario. Technical details about the exploitation methodology can be found in the Pivotal CVE-2025-9074 Analysis and the QwertySecurity Blog Post.

Detection Methods for CVE-2025-9074

Indicators of Compromise

  • Unexpected network connections from containers to 192.168.65.7:2375 on the Docker internal network
  • Unusual Docker API activity patterns, particularly container creation or volume mount operations originating from container IP addresses
  • New containers spawned with privileged flags or host filesystem mounts that were not administratively authorized
  • Container logs showing curl or HTTP client activity targeting the Docker subnet gateway addresses

Detection Strategies

  • Monitor network traffic within the Docker internal subnet for connections to port 2375
  • Implement audit logging for Docker Engine API calls and alert on API requests originating from container IP ranges
  • Use container runtime security tools to detect unexpected network egress to internal Docker infrastructure addresses
  • Deploy endpoint detection to identify containers attempting to access the Docker socket or API endpoints

Monitoring Recommendations

  • Enable detailed Docker daemon logging with --log-level=debug to capture API access patterns
  • Configure network monitoring on the Docker bridge interfaces to detect lateral movement attempts
  • Implement SIEM rules to correlate Docker API events with container network activity
  • Regularly audit running containers for unexpected privileged capabilities or host mounts

How to Mitigate CVE-2025-9074

Immediate Actions Required

  • Update Docker Desktop to version 4.44.3 or later immediately
  • Audit all currently running containers for signs of compromise or unauthorized configuration changes
  • Review and validate any containers with privileged access or host filesystem mounts
  • Implement network segmentation to restrict container access to internal Docker infrastructure

Patch Information

Docker has released a security update addressing this vulnerability. According to the Docker Release Notes, version 4.44.3 includes the fix for CVE-2025-9074. Organizations should prioritize upgrading to this version or later. Additional detection and mitigation guidance is available from Vicarius CVE-2025-9074 Mitigation.

Workarounds

  • Restrict which containers are deployed and implement strict container image provenance controls until patching is complete
  • Consider temporarily disabling Docker Desktop and using alternative containerization solutions for critical workloads
  • Implement network policies using tools like Calico or Cilium to block container access to the Docker internal subnet
  • Run containers with --network=none where network access is not required to eliminate the attack vector
bash
# Configuration example
# Run containers without network access as a temporary mitigation
docker run --network=none --rm -it your-container:latest

# Verify Docker Desktop version
docker version --format '{{.Client.Version}}'

# List containers with privileged access for audit
docker ps --format '{{.Names}}' | xargs -I {} docker inspect {} --format '{{.Name}}: Privileged={{.HostConfig.Privileged}}'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechDocker
  • SeverityCRITICAL
  • CVSS Score9.3
  • EPSS Probability0.79%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-668
  • Technical References
  • Docker Release Notes
  • QwertySecurity Blog Post
  • Pivotal CVE-2025-9074 Analysis
  • BleepingComputer Security Report
  • Vicarius CVE-2025-9074 Detection
  • Vicarius CVE-2025-9074 Mitigation
  • QwertySecurity Blog Post
  • Related CVEs
  • CVE-2025-15558: Docker CLI Privilege Escalation Vulnerability
  • CVE-2026-28400: Docker Model Runner Privilege Escalation
  • CVE-2026-2664: Docker Desktop Privilege Escalation Flaw
  • CVE-2025-14740: Docker Desktop Privilege Escalation Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English