Plateforme
docker
Composant
docker-desktop
Corrigé dans
4.41.0
CVE-2025-3224 describes a privilege escalation vulnerability affecting Docker Desktop for Windows. An attacker can leverage this flaw to gain SYSTEM-level privileges on the host machine. This vulnerability impacts versions 0 through 4.41.0 of Docker Desktop. A fix is available in version 4.41.0.
This vulnerability allows a local, low-privileged attacker to escalate their privileges to SYSTEM. The attack leverages the Docker Desktop update process, which attempts to delete files and subdirectories under the C:\ProgramData\Docker\config path. If this directory doesn't exist (which is common), a user can create a malicious directory structure at C:\ProgramData\Docker\config. The privileged update process then inadvertently deletes or manipulates arbitrary system files, granting the attacker complete control over the host. This is a critical vulnerability as SYSTEM access allows for complete compromise of the machine, including data exfiltration, installation of malware, and persistence.
CVE-2025-3224 was publicly disclosed on April 28, 2025. There is no indication of active exploitation at this time. The vulnerability's reliance on local access and directory manipulation suggests a lower probability of widespread exploitation compared to remote code execution vulnerabilities. It is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available.
Users running Docker Desktop for Windows versions 0 through 4.41.0 are at risk. This includes developers, system administrators, and anyone using Docker containers on Windows systems. Shared hosting environments utilizing Docker Desktop are particularly vulnerable due to the potential for cross-tenant privilege escalation.
• windows / supply-chain:
Get-ScheduledTask | Where-Object {$_.TaskName -like '*Docker*'} | Format-List TaskName, State• windows / supply-chain:
Get-Process -Name docker | Select-Object ProcessId, CommandLine• windows / supply-chain: Check Autoruns for unusual entries related to Docker Desktop. • windows / supply-chain: Monitor Windows Defender for alerts related to file deletion or modification within C:\ProgramData\Docker\config.
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
The primary mitigation is to upgrade Docker Desktop to version 4.41.0 or later. Prior to upgrading, consider creating a system backup. If the upgrade process fails, attempt a clean reinstallation of Docker Desktop. While a direct workaround is unavailable, restricting user permissions on the C:\ProgramData\ directory could reduce the attack surface. Monitor system logs for suspicious file deletion activity within the Docker configuration directory. Consider implementing application control policies to restrict Docker Desktop's access to sensitive system resources. After upgrade, verify the Docker Desktop version to ensure successful remediation.
Actualice Docker Desktop a la versión 4.41.0 o posterior. La actualización corrige la vulnerabilidad en el proceso de actualización que permite la escalada de privilegios.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-3224 is a privilege escalation vulnerability in Docker Desktop for Windows versions 0–4.41.0, allowing a local attacker to gain SYSTEM access by manipulating the Docker configuration directory.
If you are using Docker Desktop for Windows versions 0 through 4.41.0, you are potentially affected by this vulnerability. Upgrade to version 4.41.0 or later to mitigate the risk.
The recommended fix is to upgrade Docker Desktop to version 4.41.0 or later. Consider backing up your system before upgrading.
There is currently no evidence of active exploitation of CVE-2025-3224, but it is crucial to apply the patch to prevent potential future attacks.
Refer to the official Docker security advisory for detailed information and updates regarding CVE-2025-3224: [https://security.docker.com/](https://security.docker.com/)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier Dockerfile et nous te dirons instantanément si tu es affecté.