CVE-2025-9074
August 25, 2025 · View on GitHub
Author: w01f
Status: Proof-of-Concept (educational / authorized testing only)
Overview
This project demonstrates a PoC for CVE-2025-9074, a misconfiguration/exposure in certain versions of Docker Desktop for Windows where the Docker Engine HTTP API at http://192.168.65.7:2375 is reachable from containers (and sometimes via SSRF), allowing an attacker to create a container with a bind mount to the Windows host drive and write files to the host.
⚠️ Use only in a controlled lab or with explicit written permission. Misuse may violate laws and policies.
What this PoC does
- Connects to the Docker Engine API (default:
http://192.168.65.7:2375) - Creates a short-lived container with a bind mount from the host
C:\(as/mnt/host/cinside the Linux VM) to/host_rootinside the container - Runs a simple command to create
C:\pwn.txton the host
If the target is vulnerable, you’ll see the file appear on the Windows host.
Affected / Preconditions
- Target: Windows machine running vulnerable Docker Desktop where the Engine API is exposed to containers at
192.168.65.7:2375(HTTP, no TLS). - Attacker vantage: Any container running on that host (or a service with SSRF access to the engine endpoint).
- This PoC runs inside a container (typical real-world vantage point).
✅ If
GET http://192.168.65.7:2375/_pingreturnsOKfrom inside a container, the PoC conditions likely exist.
Repository Layout
.
├─ cve_2025_9074_poc.py # Python PoC (requests-based)
└─ README.md # This file
Requirements
- Python 3.8+
pip install requests- Ability to reach the Docker Engine API (default:
http://192.168.65.7:2375) from the container where you run the PoC
Quick Start (inside a container on the target host)
# 1) Install dependency
pip install --no-input requests
# 2) Run the PoC
python3 cve_2025_9074_poc.py
# Optional: customize output filename or image
# python3 cve_2025_9074_poc.py --outfile test.txt --image busybox
Default behavior:
- Target engine:
http://192.168.65.7:2375 - Host path bound:
/mnt/host/c(Windows C:\ as seen from the Linux VM) - Mount point in container:
/host_root - File created on host:
C:\pwn.txt
Command-line options
--host Engine host IP (default: 192.168.65.7)
--port Engine port (default: 2375)
--image Container image (default: alpine)
--host-path Path on engine host/VM to bind (default: /mnt/host/c)
--mount-path Path inside the container (default: /host_root)
--outfile Filename to create on host C:\ (default: pwn.txt)
Expected Result
On a vulnerable system, after running the PoC you should find:
C:\pwn.txt
containing the text pwned_by_CVE_2025_9074.
Cleanup
The PoC uses a short-lived container. If you want to be thorough:
# From a privileged shell with docker CLI access:
docker ps -a --format '{{.ID}}\t{{.Image}}\t{{.Command}}'
# Remove by container ID if any remain:
docker rm -f <CONTAINER_ID>
# Remove the test file on the host:
del C:\pwn.txt
Mitigation (Defensive Guidance)
- Update Docker Desktop for Windows to a patched release (or the latest available).
- Ensure the Docker Engine API is not exposed over plain HTTP to untrusted networks or to containers.
- Prefer TLS-protected access and strict access controls for the Engine API.
- Consider network policies / firewall rules that block container access to the engine endpoint.
Detection Ideas (Blue Team)
- Look for container create events where
HostConfig.Bindsincludes paths like/mnt/host/cor other host drive mounts. - Monitor unexpected file creations on
C:\from processes attributable to the Docker Linux VM context. - Network telemetry from container namespaces to
192.168.65.7:2375(HTTP) is suspicious.
Troubleshooting
/pingnot OK / connection refused: The engine API isn’t reachable from your container; the host may be patched or not exposed.- File not created: Check that
--host-pathcorrectly maps to the WindowsC:\from the Linux VM. Some environments differ. - Image pull issues: Pre-pull
alpineor switch tobusyboxwith--image busybox.
Legal & Ethical Notice
This PoC is provided for educational and authorized testing only. Running against systems without explicit written authorization is illegal and unethical. The author and contributors are not responsible for misuse or damages.
License
MIT
Author: w01f