CVE-2025-3224 – A local privilege escalation vulnerability in D... (How to Fix)

Q: What is the severity of CVE-2025-3224?

CVE-2025-3224 has a CVSS score of 7.8 (HIGH). A local privilege escalation vulnerability in Docker Desktop for Windows allows low-privileged users to gain SYSTEM privileges by exploiting the update process. Attackers can create malicious directory structures that cause the privileged update service to delete or manipulate arbitrary system files. This affects Windows systems running Docker Desktop versions before 4.41.0.

📋 TL;DR

A local privilege escalation vulnerability in Docker Desktop for Windows allows low-privileged users to gain SYSTEM privileges by exploiting the update process. Attackers can create malicious directory structures that cause the privileged update service to delete or manipulate arbitrary system files. This affects Windows systems running Docker Desktop versions before 4.41.0.

💻 Affected Systems

Products:

Docker Desktop for Windows

Versions: All versions prior to 4.41.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Docker Desktop to be installed and the update process to be triggered. The vulnerable directory path may not exist by default but can be created by low-privileged users.

📦 What is this software?

Desktop by Docker

View all CVEs affecting Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, and full control over the Windows system.

🟠

Likely Case

Local privilege escalation to SYSTEM, enabling attackers to bypass security controls, install backdoors, or access sensitive data.

🟢

If Mitigated

Limited impact if proper access controls prevent low-privileged users from creating directories in C:\ProgramData.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system.

🏢 Internal Only: HIGH - Internal attackers or compromised low-privileged accounts can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and low-privileged user account. The technique is well-documented in security research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.41.0

Vendor Advisory: https://docs.docker.com/desktop/release-notes/#4410

Restart Required: Yes

Instructions:

1. Open Docker Desktop. 2. Go to Settings > Software Updates. 3. Check for updates and install version 4.41.0 or later. 4. Restart Docker Desktop and the system if prompted.

🔧 Temporary Workarounds

Restrict directory creation in ProgramData

windows

Modify permissions on C:\ProgramData to prevent low-privileged users from creating directories.

icacls "C:\ProgramData" /deny "Users":(OI)(CI)W

Disable Docker Desktop auto-updates

windows

Prevent the vulnerable update process from running automatically.

In Docker Desktop Settings > Software Updates, disable 'Automatically check for updates'

🧯 If You Can't Patch

Implement strict access controls to prevent low-privileged users from creating directories in C:\ProgramData.
Monitor for suspicious directory creation activities in C:\ProgramData\Docker\config.

🔍 How to Verify

Check if Vulnerable:

Check Docker Desktop version in Settings > About Docker Desktop. If version is below 4.41.0, the system is vulnerable.

Check Version:

docker version --format '{{.Client.Version}}'

Verify Fix Applied:

Verify Docker Desktop version is 4.41.0 or higher in Settings > About Docker Desktop.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing directory creation in C:\ProgramData\Docker\config by low-privileged users
Process Monitor logs showing Docker Desktop update process accessing unexpected paths

Network Indicators:

No network indicators - this is a local privilege escalation

SIEM Query:

EventID=4663 AND ObjectName LIKE 'C:\\ProgramData\\Docker\\config%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrators')

📊 Metadata

CVE ID: CVE-2025-3224

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

EPSS Score: 0.01% exploit probability (2th percentile)

Published: April 28, 2025

Last Updated: May 10, 2025

🔗 References

https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks Technical Description

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3224, you might also want to check these: