On August 20, 2025, Docker published advisory docker-desktop-security-cve-2025-9074 disclosing a critical container-to-host escape vulnerability in Docker Desktop for Windows and macOS. The CVSS v3.1 base score is 9.3 (vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), and the issue was credited to researcher Felix Boulet. The flaw is exactly the class of bug security teams worry about most on developer laptops: a low-privilege container with default network access could reach the Docker Engine API at 192.168.65.7:2375 and instruct the engine to create a new container with the host filesystem mounted — escaping the isolation boundary Docker Desktop is supposed to provide. For enterprises that mandate Docker Desktop on engineering workstations, this advisory triggered the fastest developer-tool patch rollout of 2025.
What does the vendor advisory say?
Docker's advisory describes CVE-2025-9074 as missing authentication on the Docker Engine's internal API endpoint exposed inside the LinuxKit VM that Docker Desktop runs on Windows and macOS. The TCP socket at 192.168.65.7:2375 was reachable from any container on the default bridge network without TLS, mutual auth, or any access control. Docker explicitly states that Enhanced Container Isolation (ECI), the optional hardening feature that maps containers into rootless user namespaces, did mitigate the issue but was not enabled by default. The advisory carries an unusual note: Docker Desktop for Linux uses a different network architecture (libvirt or direct host networking depending on the install) and is not affected by this specific issue, though defenders should still validate their distro packaging.
Which versions are affected and which are patched?
CVE-2025-9074 affects Docker Desktop for Windows and macOS versions 4.0.0 through 4.44.2. The fixed release is Docker Desktop 4.44.3, published August 20, 2025. Docker Desktop on Linux (Ubuntu, Debian, Fedora, RHEL) is not affected because of differences in the underlying network architecture. Verify the installed version via:
- Windows: Open Docker Desktop > Settings > About, or run
docker versionand check theServer: Docker Desktopblock. - macOS: Open the Docker menu bar icon > About, or run
docker version.
For fleet-managed environments, the corresponding distribution channels:
- Microsoft Endpoint Manager / Intune — Docker publishes signed MSI installers (
Docker Desktop Installer.msi) on docs.docker.com/desktop/release-notes that admins can package as a Win32 app. - Jamf Pro for macOS — Docker publishes signed PKG installers (
Docker.pkg) for managed deployment. - Homebrew Cask —
brew upgrade --cask dockerpulls 4.44.3 once the cask manifest is updated, which typically lags Docker's release by 24–48 hours.
Is it in CISA KEV and what is the EPSS score?
CVE-2025-9074 is not in CISA KEV. EPSS scored 0.06 at disclosure, climbing to 0.21 after a PoC was published on August 22. CISA's role for developer tooling is historically lighter because the federal civilian estate runs less Docker Desktop than commercial enterprises. Practically, defenders should treat this as a near-emergency for any organization running Docker Desktop on developer laptops because the lateral-movement story is straightforward: a developer pulls a malicious supply-chain image (npm, PyPI, Docker Hub), the image's container exploits the API endpoint, and the attacker now has shell access on a developer laptop that almost certainly has source code, SSH keys, cloud credentials, and access to internal Git.
How do you find vulnerable instances in your SBOM?
Developer laptops rarely appear in production SBOM inventories. Add them explicitly via the endpoint-management agent, ingesting Docker.exe and Docker Desktop.app version strings into the asset graph. Safeguard saved query:
# Identify endpoints still running Docker Desktop below 4.44.3
safeguard scan --cve CVE-2025-9074 --product docker-desktop
# Show macOS hosts on the affected range
safeguard assets list \
--filter "vendor=docker AND product=docker-desktop AND os IN (macos,windows)" \
--include-cve CVE-2025-9074
For shops without an endpoint SBOM, the cheapest enumeration is a remote docker version --format '{{.Server.Engine.Version}}' against laptops in the corporate VPN, then a join against the fixed-build matrix. JAMF and Intune both expose Docker Desktop version as a queryable inventory field, which is the fastest path at scale.
What is the recommended patch rollout?
Docker recommends:
- Force-upgrade Docker Desktop to 4.44.3 via your endpoint management tool (Intune, Jamf, Workspace ONE).
- If automated upgrade is not yet possible, push the in-app update notification with a deadline. Docker Desktop 4.44.x includes a forced-update mechanism that can be enabled in
admin-settings.json. - As a hardening step beyond the patch, enable Enhanced Container Isolation (ECI) in
admin-settings.jsonwith"enhancedContainerIsolation": { "value": true, "locked": true }. ECI prevents containers from reaching host network resources directly, which closes off the entire class of bug regardless of patch state. - Audit container images on developer laptops for unknown publishers using
docker image inspectand the Docker Scout dashboard.
Compensating controls while patching: until 4.44.3 is installed, disable the default bridge network for containers by setting "experimentalDhcp": false and "defaultNetworkMode": "host" in daemon.json — but this breaks the local-development workflow for most teams, so treat it as a last resort for the longest-tail laptops. The better short-term control is to enable ECI immediately, which Docker's advisory confirms blocks the exploitation path even on unpatched builds.
For air-gapped enterprises, Docker provides a separately signed offline installer bundle from the customer portal — applying it requires manual approval through the corporate change-management process, which is the dominant time sink in the patch rollout.
What detections does the vendor or CISA publish?
Docker did not publish a network signature because the attack is internal to the LinuxKit VM and not visible on the corporate network. However, defenders can detect post-exploitation activity using endpoint telemetry. Crowdstrike and SentinelOne both published behavioral rules for the technique within 72 hours of disclosure. A vendor-supplied Sigma rule for the post-escape behavior:
# Source: Docker advisory and CISA SCuBA Endpoint guidance, 2025-08-22
title: Docker Desktop Container Escape Post-Exploitation
status: stable
logsource:
product: windows
service: process_creation
detection:
selection_escape:
ParentImage|endswith: '\com.docker.backend.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wsl.exe'
CommandLine|contains:
- 'mount'
- '/host/'
- 'C:\\'
filter_normal:
CommandLine|contains:
- 'docker run --rm'
condition: selection_escape AND NOT filter_normal
fields:
- User
- Image
- CommandLine
level: high
The macOS equivalent watches com.docker.helper for child process spawns outside Docker's normal helper graph; EDR vendors with macOS coverage (Crowdstrike, SentinelOne, Jamf Protect) ship the rule out of the box once their content streams pull the August 22 update.
How Safeguard Helps
Safeguard ingests Docker Desktop version data from endpoint-management tools (Intune, Jamf, Workspace ONE) into the asset graph and matches against the fixed-version table for CVE-2025-9074. Policy gates can block CI runners that pull Docker images on developer laptops still below 4.44.3, gating the highest-risk source-code-adjacent workflow. Griffin AI scores developer laptops by source-code repository access (read/write to private GitHub, GitLab, Bitbucket), cloud credential presence (AWS CLI, gcloud, Azure CLI), and Docker Hub pull frequency — surfacing the laptops where exploitation would have the largest downstream blast radius. VEX statements from Docker are auto-ingested for environments running Enhanced Container Isolation, suppressing findings on hardened deployments. The remediation engine files a per-laptop ticket in the endpoint management queue with the MSI/PKG installer hash, the 4.44.3 release notes link, and an ECI configuration JSON snippet attached for hardening — closing the loop between vulnerability detection and verified fix.