CVE-2025-9074: Critical Vulnerability in Docker Desktop

A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. This vulnerability occurs with or without Enhanced Container Isolation (ECI) enabled, and with or without the "Expose daemon on tcp://localhost:2375 without TLS" option enabled. Risk to organizations includes unauthorized access to the Docker Engine API, which can lead to execution of a wide range of privileged commands, including controlling and creating containers, managing images, and mounting the host drive with the same privileges as the user running Docker Desktop.

With a CVSS score of 9.3, this vulnerability is classified as critical. Organizations should prioritize patching immediately to mitigate potential risks. The exploitability of this vulnerability is deemed critical, given the various commands that can be executed once access is gained.

As of now, the vulnerability is awaiting analysis, but it has been confirmed that exploits exist. Security teams must be vigilant and address this vulnerability promptly to minimize risk exposure.

The urgency for defenders is high, as potential exploitation could lead to severe consequences for affected systems. Organizations are encouraged to assess their environments for potential exposure to this vulnerability.

Vulnerability Details

The vulnerability, CVE-2025-9074, allows local running Linux containers to access the Docker Engine API, which poses a significant security risk. The vulnerability has a CVSS score of 9.3, indicating a critical severity level. The affected system is Docker Desktop, and it was published on August 20, 2025. This vulnerability falls under the CWE classification of CWE-668.

Technical Analysis

The root cause of this vulnerability lies in the misconfiguration of the Docker Engine API access controls, which allows unauthorized access to the API over the default subnet. The attack vector is local, requiring no special privileges, and the attack complexity is low, making it accessible to attackers with minimal expertise. User interaction is passive, meaning no actions from the user are needed to exploit this vulnerability.

The confidentiality, integrity, and availability impacts are all classified as high, indicating that if an attacker gains access, they can compromise sensitive information, modify data, and disrupt service availability. This highlights the critical nature of the vulnerability and underscores the importance of immediate remediation.

Risk & Impact Analysis

The real-world deployment risk associated with CVE-2025-9074 is significant. Organizations utilizing Docker Desktop may find themselves vulnerable to unauthorized control over containers and potential exploitation of host systems. The blast radius is considerable, as the vulnerability can affect multiple containers and services running on the Docker Engine.

Given that the vulnerability is actively exploitable, organizations should assess their readiness and implement necessary controls. The urgency for remediation is critical, as organizations that delay may face severe operational and reputational impacts.

Exploitation Status

Affected Versions

All versions of Docker Desktop prior to the vendor patch are affected by this vulnerability. Organizations should ensure that they update to the latest version as soon as possible.

Mitigation & Remediation

Organizations should prioritize patching Docker Desktop to the latest version to remediate this vulnerability. If a patch is unavailable, consider implementing network controls to restrict access to the Docker Engine API and configure Docker to disallow unauthenticated access.

For further guidance on security practices, organizations may refer to penetration testing services to identify potential weaknesses in their configurations.

Detection Guidance

Organizations should monitor their logs for unauthorized access attempts to the Docker API. Look for unusual activity related to container management commands and track any changes to container configurations that do not align with standard operation procedures.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2025-9074 lies in its demonstration of potential weaknesses in container isolation mechanisms. This vulnerability highlights the need for ongoing security assessments and proactive measures to safeguard containerized environments.

Security teams can learn from this incident to enhance their threat models and improve their security posture. Implementing comprehensive logging and monitoring solutions will be key in detecting similar vulnerabilities in the future.

For more information on securing container environments, organizations may refer to related resources such as the Cloud Penetration Testing Guide and the Penetration Testing Methodology to strengthen their defenses.