CVE-2025-3224: Elevation of Privilege in Docker Desktop for Windows during Upgrade due to Insecure Directory Deletion
Description
A vulnerability in the update process of Docker Desktop for Windows versions prior to 4.41.0 could allow a local, low-privileged attacker to escalate privileges to SYSTEM. During an update, Docker Desktop attempts to delete files and subdirectories under the path C:\ProgramData\Docker\config with high privileges. However, this directory often does not exist by default, and C:\ProgramData\ allows normal users to create new directories. By creating a malicious Docker\config folder structure at this location, an attacker can force the privileged update process to delete or manipulate arbitrary system files, leading to Elevation of Privilege.
Classification
CVE ID: CVE-2025-3224
CVSS Base Severity: HIGH
CVSS Base Score: 7.3
CVSS Vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Problem Types
CWE-269 Improper Privilege Management CWE-59 Improper Link Resolution Before File Access ('Link Following')Affected Products
Vendor: Docker
Product: Docker Desktop
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.02% (probability of being exploited)
EPSS Percentile: 1.83% (scored less or equal to compared to others)
EPSS Date: 2025-05-27 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: poc
SSVC Technical Impact: total
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2025-3224https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks