CVE-2025-9074

August 25, 2025 · View on GitHub

Author: w01f

Status: Proof-of-Concept (educational / authorized testing only)

Overview

This project demonstrates a PoC for CVE-2025-9074, a misconfiguration/exposure in certain versions of Docker Desktop for Windows where the Docker Engine HTTP API at http://192.168.65.7:2375 is reachable from containers (and sometimes via SSRF), allowing an attacker to create a container with a bind mount to the Windows host drive and write files to the host.

⚠️ Use only in a controlled lab or with explicit written permission. Misuse may violate laws and policies.

What this PoC does

  • Connects to the Docker Engine API (default: http://192.168.65.7:2375)
  • Creates a short-lived container with a bind mount from the host C:\ (as /mnt/host/c inside the Linux VM) to /host_root inside the container
  • Runs a simple command to create C:\pwn.txt on the host

If the target is vulnerable, you’ll see the file appear on the Windows host.

Affected / Preconditions

  • Target: Windows machine running vulnerable Docker Desktop where the Engine API is exposed to containers at 192.168.65.7:2375 (HTTP, no TLS).
  • Attacker vantage: Any container running on that host (or a service with SSRF access to the engine endpoint).
  • This PoC runs inside a container (typical real-world vantage point).

✅ If GET http://192.168.65.7:2375/_ping returns OK from inside a container, the PoC conditions likely exist.

Repository Layout

.
├─ cve_2025_9074_poc.py     # Python PoC (requests-based)
└─ README.md                # This file

Requirements

  • Python 3.8+
  • pip install requests
  • Ability to reach the Docker Engine API (default: http://192.168.65.7:2375) from the container where you run the PoC

Quick Start (inside a container on the target host)

# 1) Install dependency
pip install --no-input requests

# 2) Run the PoC
python3 cve_2025_9074_poc.py

# Optional: customize output filename or image
# python3 cve_2025_9074_poc.py --outfile test.txt --image busybox

Default behavior:

  • Target engine: http://192.168.65.7:2375
  • Host path bound: /mnt/host/c (Windows C:\ as seen from the Linux VM)
  • Mount point in container: /host_root
  • File created on host: C:\pwn.txt

Command-line options

--host        Engine host IP (default: 192.168.65.7)
--port        Engine port     (default: 2375)
--image       Container image (default: alpine)
--host-path   Path on engine host/VM to bind (default: /mnt/host/c)
--mount-path  Path inside the container      (default: /host_root)
--outfile     Filename to create on host C:\ (default: pwn.txt)

Expected Result

On a vulnerable system, after running the PoC you should find:

C:\pwn.txt

containing the text pwned_by_CVE_2025_9074.

Cleanup

The PoC uses a short-lived container. If you want to be thorough:

# From a privileged shell with docker CLI access:
docker ps -a --format '{{.ID}}\t{{.Image}}\t{{.Command}}'
# Remove by container ID if any remain:
docker rm -f <CONTAINER_ID>
# Remove the test file on the host:
del C:\pwn.txt

Mitigation (Defensive Guidance)

  • Update Docker Desktop for Windows to a patched release (or the latest available).
  • Ensure the Docker Engine API is not exposed over plain HTTP to untrusted networks or to containers.
  • Prefer TLS-protected access and strict access controls for the Engine API.
  • Consider network policies / firewall rules that block container access to the engine endpoint.

Detection Ideas (Blue Team)

  • Look for container create events where HostConfig.Binds includes paths like /mnt/host/c or other host drive mounts.
  • Monitor unexpected file creations on C:\ from processes attributable to the Docker Linux VM context.
  • Network telemetry from container namespaces to 192.168.65.7:2375 (HTTP) is suspicious.

Troubleshooting

  • /ping not OK / connection refused: The engine API isn’t reachable from your container; the host may be patched or not exposed.
  • File not created: Check that --host-path correctly maps to the Windows C:\ from the Linux VM. Some environments differ.
  • Image pull issues: Pre-pull alpine or switch to busybox with --image busybox.

This PoC is provided for educational and authorized testing only. Running against systems without explicit written authorization is illegal and unethical. The author and contributors are not responsible for misuse or damages.

License

MIT


Author: w01f