Platform
docker
Component
docker-desktop
Fixed in
4.41.0
CVE-2025-3224 describes a privilege escalation vulnerability affecting Docker Desktop for Windows. An attacker can leverage this flaw to gain SYSTEM-level privileges on the host machine. This vulnerability impacts versions 0 through 4.41.0 of Docker Desktop. A fix is available in version 4.41.0.
This vulnerability allows a local, low-privileged attacker to escalate their privileges to SYSTEM. The attack leverages the Docker Desktop update process, which attempts to delete files and subdirectories under the C:\ProgramData\Docker\config path. If this directory doesn't exist (which is common), a user can create a malicious directory structure at C:\ProgramData\Docker\config. The privileged update process then inadvertently deletes or manipulates arbitrary system files, granting the attacker complete control over the host. This is a critical vulnerability as SYSTEM access allows for complete compromise of the machine, including data exfiltration, installation of malware, and persistence.
CVE-2025-3224 was publicly disclosed on April 28, 2025. There is no indication of active exploitation at this time. The vulnerability's reliance on local access and directory manipulation suggests a lower probability of widespread exploitation compared to remote code execution vulnerabilities. It is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
The primary mitigation is to upgrade Docker Desktop to version 4.41.0 or later. Prior to upgrading, consider creating a system backup. If the upgrade process fails, attempt a clean reinstallation of Docker Desktop. While a direct workaround is unavailable, restricting user permissions on the C:\ProgramData\ directory could reduce the attack surface. Monitor system logs for suspicious file deletion activity within the Docker configuration directory. Consider implementing application control policies to restrict Docker Desktop's access to sensitive system resources. After upgrade, verify the Docker Desktop version to ensure successful remediation.
Actualice Docker Desktop a la versión 4.41.0 o posterior. La actualización corrige la vulnerabilidad en el proceso de actualización que permite la escalada de privilegios.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3224 is a privilege escalation vulnerability in Docker Desktop for Windows versions 0–4.41.0, allowing a local attacker to gain SYSTEM access by manipulating the Docker configuration directory.
If you are using Docker Desktop for Windows versions 0 through 4.41.0, you are potentially affected by this vulnerability. Upgrade to version 4.41.0 or later to mitigate the risk.
The recommended fix is to upgrade Docker Desktop to version 4.41.0 or later. Consider backing up your system before upgrading.
There is currently no evidence of active exploitation of CVE-2025-3224, but it is crucial to apply the patch to prevent potential future attacks.
Refer to the official Docker security advisory for detailed information and updates regarding CVE-2025-3224: [https://security.docker.com/](https://security.docker.com/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Dockerfile file and we'll tell you instantly if you're affected.