PatchSiren cyber security CVE debrief
CVE-2025-15558 Docker CVE debrief
CVE-2025-15558 is a high-severity vulnerability in Docker CLI for Windows that allows low-privileged attackers to escalate privileges by creating a directory, C:ProgramDataDockercli-plugins, and placing malicious CLI plugin binaries. This issue affects Docker CLI through version 29.1.5 and Windows binaries acting as a CLI-plugin manager. The vulnerability has a CVSS score of 7 and is classified as HIGH.
- Vendor
- Docker
- Product
- Command Line Interface
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-04
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-04
- Advisory updated
- 2026-06-30
Who should care
Users of Docker CLI for Windows, particularly those with low-privileged accounts, should be aware of this vulnerability. Additionally, administrators and security teams responsible for managing Docker installations and ensuring the security of their systems should take immediate action to mitigate this risk.
Technical summary
The Docker CLI for Windows searches for plugin binaries in the C:ProgramDataDockercli-plugins directory, which does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (e.g., docker-compose.exe, docker-buildx.exe) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features. This allows for privilege escalation if the Docker CLI is executed as a privileged user. The issue affects Docker CLI through version 29.1.5 and Windows binaries acting as a CLI-plugin manager using the github.com/docker/cli/cli-plugins/manager package.
Defensive priority
High priority should be given to updating Docker CLI to a version that addresses this vulnerability. In the meantime, administrators should monitor for suspicious activity and restrict access to the C:ProgramDataDockercli-plugins directory.
Recommended defensive actions
- Update Docker CLI to a version that addresses this vulnerability.
- Restrict access to the C:ProgramDataDockercli-plugins directory.
- Monitor for suspicious activity related to Docker CLI and plugin execution.
- Implement additional security measures to prevent privilege escalation.
- Review and update incident response plans to address potential exploitation.
Evidence notes
The CVE-2025-15558 vulnerability was publicly disclosed on March 4, 2026, and has since been modified on June 30, 2026. The vulnerability affects Docker CLI for Windows and has a CVSS score of 7. The issue is related to the CWE-427 weakness.
Official resources
-
CVE-2025-15558 CVE record
CVE.org
-
CVE-2025-15558 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Source reference
[email protected] - Not Applicable
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.