Docker Desktop for Windows <4.41.0: Local Priv Esc via Config Manipulation
CVE-2025-3224 Published on April 28, 2025
Elevation of Privilege in Docker Desktop for Windows during Upgrade due to Insecure Directory Deletion
A vulnerability in the update process of Docker Desktop for Windows versions prior to 4.41.0 could allow a local, low-privileged attacker to escalate privileges to SYSTEM. During an update, Docker Desktop attempts to delete files and subdirectories under the path C:\ProgramData\Docker\config with high privileges. However, this directory often does not exist by default, and C:\ProgramData\ allows normal users to create new directories. By creating a malicious Docker\config folder structure at this location, an attacker can force the privileged update process to delete or manipulate arbitrary system files, leading to Elevation of Privilege.
Weakness Types
Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
What is an insecure temporary file Vulnerability?
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CVE-2025-3224 has been classified to as an insecure temporary file vulnerability or weakness.
Products Associated with CVE-2025-3224
stack.watch emails you whenever new vulnerabilities are published in Docker Desktop or Docker Desktop. Just hit a watch button to start following.
Affected Versions
Docker Desktop:- Before 4.41.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.