Plattform
docker
Komponente
docker-desktop
Behoben in
4.41.0
CVE-2025-3224 describes a privilege escalation vulnerability affecting Docker Desktop for Windows versions prior to 4.41.0. An attacker can leverage this flaw to gain SYSTEM-level privileges by manipulating the update process. This vulnerability arises from how Docker Desktop handles file deletion during updates, specifically within the C:\ProgramData\Docker\config directory. The fix is to upgrade to version 4.41.0.
This vulnerability allows a local, low-privileged attacker to escalate their privileges to SYSTEM. The attack involves creating a malicious Docker\config folder structure under C:\ProgramData\, which is writable by regular users. During the Docker Desktop update process, the application attempts to delete files and subdirectories within this path using elevated privileges. By strategically crafting the malicious folder structure, an attacker can trick the update process into deleting or manipulating critical system files, effectively gaining control of the system. The potential impact is severe, as SYSTEM-level access grants complete control over the affected machine, enabling data theft, malware installation, and complete system compromise.
CVE-2025-3224 was publicly disclosed on April 28, 2025. The vulnerability's exploitation context is currently unclear, with no known active campaigns or public proof-of-concept exploits. It is not listed on the CISA KEV catalog as of this writing. The relatively straightforward nature of the exploit suggests that it could be easily weaponized if it gains wider attention.
Users running Docker Desktop for Windows versions 0 through 4.41.0 are at risk. This includes developers, system administrators, and anyone using Docker containers on Windows systems. Shared hosting environments utilizing Docker Desktop are particularly vulnerable due to the potential for cross-tenant privilege escalation.
• windows / supply-chain:
Get-ScheduledTask | Where-Object {$_.TaskName -like '*Docker*'} | Format-List TaskName, State• windows / supply-chain:
Get-Process -Name docker | Select-Object ProcessId, CommandLine• windows / supply-chain: Check Autoruns for unusual entries related to Docker Desktop. • windows / supply-chain: Monitor Windows Defender for alerts related to file deletion or modification within C:\ProgramData\Docker\config.
disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-3224 is to upgrade Docker Desktop to version 4.41.0 or later. Prior to upgrading, consider creating a system restore point as a precaution against unforeseen issues. If an upgrade is not immediately feasible, restrict access to the C:\ProgramData\ directory to prevent unauthorized creation of malicious Docker\config folders. Monitor system logs for unusual file deletion activity within the C:\ProgramData\Docker\config directory. While a WAF or proxy is not applicable here, implementing least-privilege principles for user accounts can limit the potential impact of a successful exploit.
Actualice Docker Desktop a la versión 4.41.0 o posterior. La actualización corrige la vulnerabilidad en el proceso de actualización que permite la escalada de privilegios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-3224 is a privilege escalation vulnerability in Docker Desktop for Windows versions 0–4.41.0, allowing a local attacker to gain SYSTEM access by manipulating the Docker configuration directory.
If you are using Docker Desktop for Windows versions 0 through 4.41.0, you are potentially affected by this vulnerability. Upgrade to version 4.41.0 or later to mitigate the risk.
The recommended fix is to upgrade Docker Desktop to version 4.41.0 or later. Consider backing up your system before upgrading.
There is currently no evidence of active exploitation of CVE-2025-3224, but it is crucial to apply the patch to prevent potential future attacks.
Refer to the official Docker security advisory for detailed information and updates regarding CVE-2025-3224: [https://security.docker.com/](https://security.docker.com/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Dockerfile-Datei hoch und wir sagen dir sofort, ob du betroffen bist.