CVE-2025-15558
Published: 04 March 2026
Summary
CVE-2025-15558 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Docker Command Line Interface. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the untrusted search path flaw in Docker CLI by applying vendor patches that prevent execution from the vulnerable directory.
Prohibits or controls low-privileged user installation of malicious plugin binaries in the C:\ProgramData\Docker\cli-plugins directory exploited by this CVE.
Deploys anti-malware scanning to detect and block execution of malicious CLI plugin binaries placed in the untrusted search path.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Untrusted search path (CWE-427) allows low-priv attacker to plant malicious plugin binaries that execute in higher-priv context on Docker invocation, directly enabling privilege escalation via execution flow hijack.
NVD Description
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim…
more
user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user. This issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the github.com/docker/cli/cli-plugins/manager https://pkg.go.dev/github.com/docker/cli@v29.1.5+incompatible/cli-plugins/manager package, such as Docker Compose. This issue does not impact non-Windows binaries, and projects not using the plugin-manager code.
Deeper analysisAI
CVE-2025-15558 is a vulnerability in the Docker CLI for Windows, where it searches for plugin binaries in the non-existent directory C:\ProgramData\Docker\cli-plugins. A low-privileged attacker can create this directory and place malicious CLI plugin binaries, such as docker-compose.exe or docker-buildx.exe, which are then executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features. This affects Docker CLI versions through 29.1.5 and Windows binaries using the github.com/docker/cli/cli-plugins/manager package, including Docker Compose. Non-Windows binaries and projects not using the plugin-manager code are unaffected. The issue is rated CVSS 8.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-427 (Untrusted Search Path).
A low-privileged attacker with access to the target Windows system can exploit this by creating the C:\ProgramData\Docker\cli-plugins directory and dropping malicious plugin executables. Exploitation occurs when a higher-privileged victim user launches Docker Desktop or uses Docker CLI plugin features, causing the malicious binaries to execute in the victim's context. If the Docker CLI is run as a privileged user, this enables privilege escalation, potentially granting the attacker high confidentiality, integrity, and availability impacts.
Mitigation details are provided in official advisories, including Docker Desktop release notes at https://docs.docker.com/desktop/release-notes/, a fix via GitHub pull request https://github.com/docker/cli/pull/6713, and the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-CAN-28304/.
Details
- CWE(s)