Docker Desktop 4.44.3 - Unauthenticated API Exposure
Docker Desktop 4.44.3 - Unauthenticated API Exposure
AI Analysis
Technical Summary
Docker Desktop 4.44.3 has an unauthenticated API exposure vulnerability that can be exploited locally. This vulnerability allows an attacker with local access to interact with the Docker API without authentication, potentially leading to unauthorized actions. Exploit code has been published in Perl, demonstrating the feasibility of exploitation. No specific affected versions are listed beyond 4.44.3, and no vendor advisory or patch information is provided.
Potential Impact
The vulnerability enables unauthenticated local access to the Docker Desktop API, which could allow an attacker with local system access to perform unauthorized operations via the API. The exact impact depends on the API capabilities exposed but may include container management or system manipulation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict local access to trusted users only and monitor for suspicious local activity related to Docker Desktop.
Indicators of Compromise
- exploit-code: # Exploit Title: Docker Desktop 4.44.3 - Unauthenticated API Exposure # Date: 2025-10-06 # Exploit Author: OilSeller2001 # Vendor Homepage: https://www.docker.com/ # Software Link: https://www.docker.com/products/docker-desktop/ # Version: Affected on Windows and macOS versions prior to 4.44.3 # Tested on: Windows 11 + Docker Desktop 4.43.0 # Exploit Type: Remote, Local, Shellcode # Platform: Windows # CVE: CVE-2025-9074 # Description: This PoC script exploits a security misconfiguration in the unauthenticated exposure of the Docker Engine API. By sending crafted API requests directly to the Docker daemon, the script creates and starts a specially prepared container. The container leverages the bind mount feature to map sensitive directories from the host filesystem into the container, effectively granting arbitrary access to the host. This results in a high-privilege remote code execution scenario. # Vulnerability Details: The Docker Engine API (TCP port 2375) can be exposed without TLS authentication via the "Expose daemon on tcp://localhost:2375 without TLS" option in Docker Desktop. If this option is enabled, any local or remote attacker with network access to the exposed port can control the Docker daemon without authentication. # Usage: 1. Expose the Docker daemon on TCP 2375 without TLS (testing environment only). 2. Run the PoC against the target: python3 poc_cve_2025_9074.py <target_ip>:2375 3. The script will: - Check API availability - Pull an image - Create a malicious container with bind mounts to the host filesystem - Start the container, allowing access to host files # Mitigation: - Disable the unauthenticated Docker API exposure after testing. - Use TLS certificates if remote API access is required. - Restrict network access to port 2375 via firewall rules. # PoC Download Link: https://github.com/OilSeller2001/PoC-for-CVE-2025-9074
Docker Desktop 4.44.3 - Unauthenticated API Exposure
Description
Docker Desktop 4.44.3 - Unauthenticated API Exposure
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Docker Desktop 4.44.3 has an unauthenticated API exposure vulnerability that can be exploited locally. This vulnerability allows an attacker with local access to interact with the Docker API without authentication, potentially leading to unauthorized actions. Exploit code has been published in Perl, demonstrating the feasibility of exploitation. No specific affected versions are listed beyond 4.44.3, and no vendor advisory or patch information is provided.
Potential Impact
The vulnerability enables unauthenticated local access to the Docker Desktop API, which could allow an attacker with local system access to perform unauthorized operations via the API. The exact impact depends on the API capabilities exposed but may include container management or system manipulation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict local access to trusted users only and monitor for suspicious local activity related to Docker Desktop.
Technical Details
- Edb Id
- 52472
- Has Exploit Code
- true
- Code Language
- perl
Indicators of Compromise
Exploit Source Code
Exploit code for Docker Desktop 4.44.3 - Unauthenticated API Exposure
# Exploit Title: Docker Desktop 4.44.3 - Unauthenticated API Exposure # Date: 2025-10-06 # Exploit Author: OilSeller2001 # Vendor Homepage: https://www.docker.com/ # Software Link: https://www.docker.com/products/docker-desktop/ # Version: Affected on Windows and macOS versions prior to 4.44.3 # Tested on: Windows 11 + Docker Desktop 4.43.0 # Exploit Type: Remote, Local, Shellcode # Platform: Windows # CVE: CVE-2025-9074 # Description: This PoC script exploits a security misconfiguration in th... (1404 more characters)
Threat ID: 69845ddcf9fa50a62f0fd4b0
Added to database: 2/5/2026, 9:07:40 AM
Last enriched: 4/7/2026, 11:05:05 AM
Last updated: 5/7/2026, 7:43:20 AM
Views: 537
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.