Docker Addresses Critical Container Escape Vulnerability CVE-2025-9074 with CVSS Score of 9.3

August 25, 2025
Container Security / Vulnerability

Docker has released updates to fix a serious security vulnerability in the Docker Desktop application for Windows and macOS. This security flaw, identified as CVE-2025-9074, has a CVSS score of 9.3 out of 10.0, indicating its severity. The issue has been resolved in version 4.44.3. According to Docker’s advisory from last week, “A malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without needing the Docker socket to be mounted.” This could result in unauthorized access to user files on the host system, and Enhanced Container Isolation (ECI) does not provide mitigation for this vulnerability. Security researcher Felix Boulet notes that the vulnerability stems from a container’s ability to connect to the Docker Engine API at 192.168.65[.]7:2375 without requiring any authentication, which could lead to a scenario where a privileged container can…

Docker Addresses Critical Container Escape Vulnerability (CVE-2025-9074) with High CVSS Score

August 25, 2025

In a significant cybersecurity development, Docker has released updates to rectify a critical vulnerability in its Desktop application for Windows and macOS. Known as CVE-2025-9074, this security flaw poses a severe risk, allowing potential attackers to escape the confines of a container, which could lead to unauthorized access to host system files. The vulnerability has been assigned a high severity rating, with a CVSS score of 9.3 out of 10. The issue has been resolved in version 4.44.3 of the Docker Desktop application.

According to Docker’s advisory issued last week, a malicious container operating on Docker Desktop could exploit this flaw to access the Docker Engine. This could enable the attacker to launch additional containers without needing the Docker socket to be mounted, thereby bypassing crucial security controls. Notably, the company emphasized that its Enhanced Container Isolation (ECI) feature does not mitigate the effects of this vulnerability.

Security researcher Felix Boulet has pointed out that the vulnerability is rooted in the ability of a container to connect to the Docker Engine API at 192.168.65[.]7:2375 without requiring any authentication. This lack of authentication opens avenues for privileged containers to interact with the Docker API, drastically elevating the potential for unauthorized actions and data exposure.

The target of this vulnerability encompasses users of the Docker Desktop application across various business sectors, primarily located in the United States. The implications of such a breach are profound, particularly for organizations relying heavily on Docker for containerization in their operational frameworks. The risk of unauthorized data access underscores the importance of timely software updates in safeguarding sensitive information.

Within the context of the MITRE ATT&CK framework, various adversary tactics and techniques are pertinent to this incident. The lack of authentication features in the Docker Engine API illustrates a potential weakness in initial access methods that adversaries could exploit. Furthermore, the ability to escalate privileges via container breakout points to risks associated with privilege escalation tactics, putting user data at an increased risk of exposure.

As Docker users implement the necessary updates, it is crucial for business owners to remain vigilant. Monitoring systems for suspicious activities and enforcing authentication protocols can mitigate risks associated with such vulnerabilities. This incident serves as a reminder of the ever-evolving landscape of cybersecurity threats, emphasizing the necessity for organizations to adopt a proactive stance in their security measures.

In conclusion, the swift action taken by Docker in addressing CVE-2025-9074 is commendable. However, the onus also lies on users to ensure their systems remain secure through regular updates and awareness of potential vulnerabilities. As the cybersecurity landscape continues to evolve, maintaining a rigorous approach to security practices is paramount for all organizations utilizing container technologies.

Source link

Related Posts

UNC6384 Uses Captive Portal Hijacks and Valid Certificates for PlugX Deployment Targeting Diplomats

August 25, 2025
Malware / Cyber Espionage

A threat actor associated with China, known as UNC6384, has been linked to a series of attacks aimed at diplomats in Southeast Asia and various global entities to further Beijing’s strategic goals. “This complex attack chain employs sophisticated social engineering tactics, including the use of legitimate code signing certificates, adversary-in-the-middle (AitM) techniques, and indirect execution methods to bypass detection,” noted Patrick Whitsell from Google’s Threat Intelligence Group (GTIG). UNC6384 is believed to share resources and tactics with the well-known Chinese hacking group Mustang Panda, also identified by multiple aliases such as BASIN, Bronze President, and more. The campaign, identified by GTIG in March 2025, features a captive portal redirect to hijack web traffic and distribute a digitally signed downloader known as STATICPLUGIN. This downloader subsequently facilitates…

ShadowCaptcha Targets WordPress Sites to Distribute Ransomware, Info Stealers, and Crypto Miners

August 26, 2025
Ransomware / Cryptojacking

A significant new campaign has been uncovered, impacting over 100 compromised WordPress sites. This initiative redirects visitors to fake CAPTCHA verification pages employing the ClickFix social engineering technique to disseminate information stealers, ransomware, and cryptocurrency miners. Dubbed ShadowCaptcha by the Israel National Digital Agency, this widespread cybercrime operation, first detected in August 2025, utilizes a combination of social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to establish and sustain access to targeted systems. Researchers Shimi Cohen, Adi Pick, Idan Beit Yosef, Hila David, and Yaniv Goldman explain, “The ultimate aims of ShadowCaptcha include harvesting sensitive information through credential theft and browser data exfiltration, deploying cryptocurrency miners for illicit gains, and even initiating ransomware outbreaks.” The attacks commence when unsuspecting users visit a compromised site…

MixShell Malware Exploits Contact Forms to Target U.S. Supply Chain Manufacturers

Date: Aug 26, 2025
Categories: Enterprise Security / Artificial Intelligence

Cybersecurity experts are highlighting a complex social engineering initiative aimed at crucial supply chain manufacturing firms, deploying in-memory malware known as MixShell. This campaign, dubbed “ZipLine” by Check Point Research, circumvents traditional phishing tactics by initiating contact through companies’ public “Contact Us” forms. Attackers deceive employees into engaging in what appears to be a legitimate communication. According to Check Point’s statement to The Hacker News, these interactions can span several weeks, often involving fabricated non-disclosure agreements before the attackers deliver a weaponized ZIP file containing the stealthy MixShell malware. The attacks have impacted various organizations across multiple sectors, with a particular focus on U.S. manufacturers in industrial fields such as machinery, metalworking, component production, and engine manufacturing.

Citrix Addresses Three NetScaler Vulnerabilities, Alerts on Active Exploitation of CVE-2025-7775

Date: August 26, 2025
Focus: Vulnerability / Remote Code Execution

Citrix has issued patches for three security vulnerabilities in NetScaler ADC and NetScaler Gateway, including one that is currently being actively exploited. The vulnerabilities are as follows:

  • CVE-2025-7775 (CVSS score: 9.2): Memory overflow vulnerability resulting in Remote Code Execution and/or Denial-of-Service.
  • CVE-2025-7776 (CVSS score: 8.8): Memory overflow issue causing unpredictable behavior and potential Denial-of-Service.
  • CVE-2025-8424 (CVSS score: 8.7): Improper access control on the NetScaler Management Interface.

Citrix noted that there have been observed exploits of CVE-2025-7775 on unmitigated devices but did not provide further specifics. However, certain conditions must be met for the vulnerabilities to be exploited.

For CVE-2025-7775, the NetScaler must be set up as a Gateway (including VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. Affected versions include NetScaler ADC and NetScaler Gateway 13.1, 14.1…