CVE-2025-9164 is a DLL hijacking vulnerability classified under CWE-427 (Uncontrolled Search Path Element) affecting Docker Desktop Installer.exe up to version 4.48.0. The vulnerability arises because the installer executable searches for required DLLs in the user's Downloads folder before checking system directories, violating secure DLL search order principles. An attacker with local access can place a malicious DLL in the Downloads folder, which the installer will load instead of the legitimate system DLL, resulting in local privilege escalation. This can allow an attacker with limited privileges to gain elevated rights on the host system, potentially compromising the entire environment where Docker Desktop is installed. The vulnerability requires local access and user interaction to execute the installer, but no network access or remote exploitation is possible. The CVSS 4.0 vector indicates a local attack vector (AV:L), high attack complexity (AC:H), partial privileges required (PR:L), and no user interaction (UI:N) during exploitation, with high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability is considered high risk due to the widespread use of Docker Desktop in development and production environments. The insecure DLL search path is a common and well-understood attack vector, making mitigation feasible through proper patching and operational controls.

For European organizations, this vulnerability poses a significant risk primarily in environments where Docker Desktop is used for software development, testing, or container orchestration on Windows endpoints. Successful exploitation can lead to local privilege escalation, allowing attackers to execute arbitrary code with elevated privileges, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, disruption of containerized applications, and lateral movement within corporate networks. Organizations relying heavily on Docker for DevOps workflows or CI/CD pipelines may face operational disruptions and increased risk of supply chain attacks. The vulnerability’s requirement for local access limits remote exploitation but does not eliminate risk from insider threats or compromised endpoints. Given the high CVSS score and the critical role of Docker in modern software environments, the impact on confidentiality, integrity, and availability is substantial. Additionally, the lack of current public exploits suggests a window of opportunity for proactive mitigation before widespread attacks occur.

1. Apply patches from Docker as soon as they become available to address the DLL search order issue. 2. Until patches are released, restrict write permissions to user Downloads folders to prevent unauthorized DLL placement. 3. Advise users and administrators to run Docker Desktop installers only from trusted directories and avoid executing installers directly from Downloads. 4. Implement application whitelisting and endpoint protection solutions to detect and block unauthorized DLL loading or suspicious installer behavior. 5. Conduct regular audits of user directories for unexpected DLL files and monitor for privilege escalation attempts. 6. Educate users about the risks of running installers from untrusted locations and the importance of verifying software sources. 7. Employ least privilege principles for user accounts to minimize the impact of local exploits. 8. Integrate security controls into DevOps pipelines to detect anomalous container or host behavior post-installation.