DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-15558: CVE-2025-15558: Local Privilege Escalation via Uncontrolled Search Path in Docker CLI for Windows

#security #cve #cybersecurity

CVE-2025-15558: Local Privilege Escalation via Uncontrolled Search Path in Docker CLI for Windows

Vulnerability ID: CVE-2025-15558
CVSS Score: 7.0
Published: 2026-03-05

A critical Local Privilege Escalation (LPE) vulnerability affects Docker CLI for Windows, stemming from an insecure plugin search path in the C:\ProgramData directory. Due to permissive default Access Control Lists (ACLs) on Windows, low-privileged users can create subdirectories within ProgramData. The Docker CLI plugin manager inadvertently trusts this location, allowing attackers to plant malicious executables that are subsequently executed by privileged users during standard Docker operations.

TL;DR

Docker CLI for Windows insecurely searches for plugins in a user-writable directory under %ProgramData%. A local attacker can create this directory and plant a malicious binary (e.g., docker-compose.exe). When a victim runs Docker commands, the malicious binary executes with the victim's privileges, leading to privilege escalation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-427
  • Attack Vector: Local
  • CVSS v4.0: 7.0 (High)
  • CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H
  • Exploit Status: PoC Ready
  • KEV Status: Not Listed

Affected Systems

  • Docker CLI for Windows <= 29.1.5
  • Docker Desktop for Windows < 4.37.0
  • Docker Compose (as plugin manager)
  • Docker CLI: <= 29.1.5 (Fixed in: 29.2.0)
  • Docker Desktop: < 4.37.0 (Fixed in: 4.37.0)

Code Analysis

Commit: 1375933

Remove ProgramData from default system plugin dirs on Windows

var defaultSystemPluginDirs = []string{
-   filepath.Join(os.Getenv("ProgramData"), "Docker", "cli-plugins"),
    filepath.Join(os.Getenv("ProgramFiles"), "Docker", "cli-plugins"),
 }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Software Update
  • ACL Hardening
  • Directory Monitoring

Remediation Steps:

  1. Upgrade Docker Desktop for Windows to version 4.37.0 or later.
  2. Ensure the Docker CLI binary is version 29.2.0 or higher.
  3. If immediate patching is impossible, administrators should manually create the directory C:\ProgramData\Docker\cli-plugins and restrict its ACLs to allow write access only to SYSTEM and Administrators.

References

Read the full report for CVE-2025-15558 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)