PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-15558 Docker CVE debrief

CVE-2025-15558 is a high-severity vulnerability in Docker CLI for Windows that allows low-privileged attackers to escalate privileges by creating a directory, C:ProgramDataDockercli-plugins, and placing malicious CLI plugin binaries. This issue affects Docker CLI through version 29.1.5 and Windows binaries acting as a CLI-plugin manager. The vulnerability has a CVSS score of 7 and is classified as HIGH.

Vendor
Docker
Product
Command Line Interface
CVSS
HIGH 7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-04
Original CVE updated
2026-06-30
Advisory published
2026-03-04
Advisory updated
2026-06-30

Who should care

Users of Docker CLI for Windows, particularly those with low-privileged accounts, should be aware of this vulnerability. Additionally, administrators and security teams responsible for managing Docker installations and ensuring the security of their systems should take immediate action to mitigate this risk.

Technical summary

The Docker CLI for Windows searches for plugin binaries in the C:ProgramDataDockercli-plugins directory, which does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (e.g., docker-compose.exe, docker-buildx.exe) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features. This allows for privilege escalation if the Docker CLI is executed as a privileged user. The issue affects Docker CLI through version 29.1.5 and Windows binaries acting as a CLI-plugin manager using the github.com/docker/cli/cli-plugins/manager package.

Defensive priority

High priority should be given to updating Docker CLI to a version that addresses this vulnerability. In the meantime, administrators should monitor for suspicious activity and restrict access to the C:ProgramDataDockercli-plugins directory.

Recommended defensive actions

  • Update Docker CLI to a version that addresses this vulnerability.
  • Restrict access to the C:ProgramDataDockercli-plugins directory.
  • Monitor for suspicious activity related to Docker CLI and plugin execution.
  • Implement additional security measures to prevent privilege escalation.
  • Review and update incident response plans to address potential exploitation.

Evidence notes

The CVE-2025-15558 vulnerability was publicly disclosed on March 4, 2026, and has since been modified on June 30, 2026. The vulnerability affects Docker CLI for Windows and has a CVSS score of 7. The issue is related to the CWE-427 weakness.

Official resources

This article is AI-assisted and based on the supplied source corpus.