CVE-2025-15558
Privilege Escalation via Malicious CLI Plugins in Docker Windows
Publication date: 2026-03-04
Last updated on: 2026-03-09
Assigner: Docker Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| docker | command_line_interface | to 29.1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Docker CLI for Windows, which searches for plugin binaries in the directory C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default.
A low-privileged attacker can create this directory and place malicious CLI plugin binaries (such as docker-compose.exe or docker-buildx.exe). These malicious binaries are executed when a victim user opens Docker Desktop or uses Docker CLI plugin features.
If the Docker CLI is executed as a privileged user, this can lead to privilege escalation, allowing the attacker to gain higher-level access.
How can this vulnerability impact me? :
This vulnerability can allow a low-privileged attacker to escalate their privileges by placing malicious plugin binaries in a directory that Docker CLI for Windows searches by default.
When a victim user runs Docker Desktop or invokes Docker CLI plugin features, these malicious binaries can be executed, potentially compromising the system.
If Docker CLI is run with elevated privileges, the attacker could gain those elevated privileges, leading to a serious security breach.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the directory C:\ProgramData\Docker\cli-plugins exists on your Windows system and whether it contains any unexpected or suspicious CLI plugin binaries such as docker-compose.exe or docker-buildx.exe.
You can use the following commands in a Windows PowerShell or Command Prompt to detect the presence of this directory and list its contents:
- Check if the directory exists: `Test-Path C:\ProgramData\Docker\cli-plugins` (PowerShell) or `dir C:\ProgramData\Docker\cli-plugins` (Command Prompt)
- List files in the directory: `Get-ChildItem C:\ProgramData\Docker\cli-plugins` (PowerShell) or `dir C:\ProgramData\Docker\cli-plugins` (Command Prompt)
If the directory exists and contains plugin binaries, especially those that you did not install or recognize, it may indicate exploitation or attempted exploitation of this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
An immediate mitigation step is to ensure that the directory C:\ProgramData\Docker\cli-plugins does not exist or is removed if present, as this directory is not created by default and is no longer used by Docker CLI for plugin discovery on Windows.
Additionally, update Docker CLI and related Windows binaries to a version later than 29.1.5 where the legacy plugin path scanning has been removed, consolidating plugin discovery to the safer %ProgramFiles%\Docker\cli-plugins directory.
Restrict permissions on Docker CLI plugin directories to prevent low-privileged users from creating or placing malicious binaries.
Avoid running Docker CLI or Docker Desktop with elevated privileges unnecessarily to reduce the risk of privilege escalation.