CVE-2025-54388 – This vulnerability in Moby/Docker Engine allows... (How to Fix)

Q: What is the severity of CVE-2025-54388?

CVE-2025-54388 has a CVSS score of 4.6 (MEDIUM). This vulnerability in Moby/Docker Engine allows containers with ports published only to localhost (127.0.0.1) to become remotely accessible after firewalld service reloads. It affects Docker Engine versions 28.2.0 through 28.3.2 when firewalld is used. The issue occurs because Docker fails to recreate specific iptables rules that block external access after firewalld removes all rules during reload.

📋 TL;DR

This vulnerability in Moby/Docker Engine allows containers with ports published only to localhost (127.0.0.1) to become remotely accessible after firewalld service reloads. It affects Docker Engine versions 28.2.0 through 28.3.2 when firewalld is used. The issue occurs because Docker fails to recreate specific iptables rules that block external access after firewalld removes all rules during reload.

💻 Affected Systems

Products:

Docker Engine
Mirantis Container Runtime
Moby-based container runtimes

Versions: 28.2.0 through 28.3.2

Operating Systems: Linux distributions using firewalld

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using firewalld service. Only impacts containers with ports explicitly published to localhost (e.g., -p 127.0.0.1:8080:8080). Unpublished ports remain protected.

📦 What is this software?

Moby by Mobyproject

View all CVEs affecting Moby →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Containers with sensitive services bound only to localhost become exposed to network-accessible attackers, potentially leading to unauthorized access, data exfiltration, or lateral movement within the network.

🟠

Likely Case

Containers with administrative interfaces, monitoring dashboards, or internal APIs become temporarily accessible from the local network after firewalld maintenance or updates, creating a window of exposure.

🟢

If Mitigated

If network segmentation is properly implemented and Docker bridge networks are isolated, the exposure is limited to systems that already have routing access to the Docker bridge network.

🌐 Internet-Facing: LOW - The vulnerability requires attackers to already have network access to the Docker bridge network, which is typically not directly internet-facing.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems with access to the Docker bridge network can exploit this after firewalld reloads.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires timing (after firewalld reload) and network access to Docker bridge. No authentication required to access exposed container ports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 28.3.3

Vendor Advisory: https://github.com/moby/moby/security/advisories/GHSA-x4rx-4gw3-53p4

Restart Required: Yes

Instructions:

1. Stop all running containers. 2. Update Docker Engine to version 28.3.3 or later. 3. Restart Docker service. 4. Restart containers.

🔧 Temporary Workarounds

Disable firewalld reload triggers

linux

Prevent firewalld from automatically reloading or schedule reloads during maintenance windows

sudo systemctl mask firewalld
sudo systemctl stop firewalld

Use iptables directly instead of firewalld

linux

Configure Docker to use iptables directly and disable firewalld integration

sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo iptables -F
sudo systemctl restart docker

🧯 If You Can't Patch

Monitor firewalld reload events and immediately restart Docker service after any reload
Implement network segmentation to isolate Docker bridge networks from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check Docker version and if firewalld is active: docker version --format '{{.Server.Version}}' && systemctl is-active firewalld

Check Version:

docker version --format '{{.Server.Version}}'

Verify Fix Applied:

After patching, test by publishing a port to localhost, reloading firewalld, and verifying the port is not accessible from remote systems

📡 Detection & Monitoring

Log Indicators:

firewalld reload events in system logs
Docker iptables rule recreation failures

Network Indicators:

Unexpected network connections to container ports that should be localhost-only
Port scans detecting exposed container ports

SIEM Query:

source="systemd" "firewalld.*reload" OR source="docker" "iptables.*failed"

📊 Metadata

CVE ID: CVE-2025-54388

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-909

EPSS Score: 0.01% exploit probability (0.2th percentile)

Published: July 30, 2025

Last Updated: September 8, 2025

🔗 References

https://github.com/moby/moby/commit/bea959c7b793b32a893820b97c4eadc7c87fabb0 Patch
https://github.com/moby/moby/pull/50506 Issue Tracking,Patch
https://github.com/moby/moby/security/advisories/GHSA-x4rx-4gw3-53p4 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54388, you might also want to check these: