CVE-2025-9074
Published: 20 August 2025
Summary
CVE-2025-9074 is a critical-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability in Qwertysecurity (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A vulnerability in Docker Desktop enables local Linux containers to reach the Docker Engine API over the default internal subnet at 192.168.65.7:2375. The flaw is present regardless of whether Enhanced Container Isolation is enabled and independent of the “Expose daemon on tcp://localhost:2375 without TLS” setting. It is tracked as CVE-2025-9074 with a CVSS 4.0 score of 9.3 and is associated with CWE-668.
An attacker who can run a container on an affected host can therefore issue privileged Engine API calls to inspect, create, or delete other containers and images. On Docker Desktop for Windows using the WSL backend, the same access also permits mounting the host filesystem with the privileges of the user running Docker Desktop.
Public advisories and technical write-ups are available at the Docker release notes for version 4.44.3 and at several independent analyses that describe detection methods and the scope of the issue. The associated EPSS score has remained flat at 0.0119 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25308
Vulnerability details
A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. This vulnerability occurs with or without Enhanced Container Isolation (ECI) enabled, and…
more
with or without the "Expose daemon on tcp://localhost:2375 without TLS" option enabled. This can lead to execution of a wide range of privileged commands to the engine API, including controlling other containers, creating new ones, managing images etc. In some circumstances (e.g. Docker Desktop for Windows with WSL backend) it also allows mounting the host drive with the same privileges as the user running Docker Desktop.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Controls whether organization resources are exposed to external system spheres by permitting or prohibiting their use.
The control ensures information is not released into a security sphere where the recipient lacks matching access authorizations.
The control ensures information resources are not exposed to the incorrect (public) sphere through review and authorization.
Protects against data mining that would expose resources to unauthorized spheres by enforcing detection and controls.
Restricts information flows to ensure resources are not exposed to incorrect or unauthorized spheres.
Controlling internal connections prevents exposure of resources to unintended internal spheres.
Knowing exact processing and storage locations helps avoid exposure of resources to incorrect spheres.
The control prevents exposure of the media resource to the wrong security sphere.