CVE-2025-3224

Elevation of Privilege in Docker Desktop for Windows during Upgrade due to Insecure Directory Deletion

Description

A vulnerability in the update process of Docker Desktop for Windows versions prior to 4.41.0 could allow a local, low-privileged attacker to escalate privileges to SYSTEM. During an update, Docker Desktop attempts to delete files and subdirectories under the path C:\ProgramData\Docker\config with high privileges. However, this directory often does not exist by default, and C:\ProgramData\ allows normal users to create new directories. By creating a malicious Docker\config folder structure at this location, an attacker can force the privileged update process to delete or manipulate arbitrary system files, leading to Elevation of Privilege.

Category

7.3
CVSS
Severity: High
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.01%
Affected: Docker Docker Desktop
Published at:
Updated at:

References

Link Tags
https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks technical description

Frequently Asked Questions

What is the severity of CVE-2025-3224?
CVE-2025-3224 has been scored as a high severity vulnerability.
How to fix CVE-2025-3224?
To fix CVE-2025-3224, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-3224 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-3224 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-3224?
CVE-2025-3224 affects Docker Docker Desktop.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.