0-Day Local Privilege Escalation in Docker Desktop CLI‑Plugins Affects Windows Developers
What Happened — A newly disclosed zero‑day (ZDI‑26‑259 / ZDI‑CAN‑27430) allows a local attacker who has already escaped a Docker container on Windows to gain elevated privileges on the host by exploiting incorrect folder permissions in Docker Desktop’s CLI‑plugins feature. The flaw enables execution of arbitrary code in the context of the current user, potentially leading to full system compromise.
Why It Matters for TPRM —
- Docker Desktop is widely used by development teams and third‑party SaaS providers; a privilege‑escalation path can be leveraged to pivot into corporate networks.
- The vulnerability is rated CVSS 7.8 (High) and is being published as a 0‑day, meaning no patch is yet available.
- Organizations that rely on Docker Desktop for CI/CD pipelines may inadvertently expose internal assets if containers are compromised.
Who Is Affected — Technology & SaaS vendors, development shops, MSPs, and any third‑party that mandates Docker Desktop on Windows workstations.
Recommended Actions —
- Immediately inventory all Windows endpoints running Docker Desktop and assess exposure.
- Enforce strict container isolation policies; consider alternative build environments that do not require Docker Desktop on user workstations.
- Monitor for suspicious activity in Hyper‑V VMs and privilege‑escalation alerts.
- Apply any forthcoming patches from Docker as soon as they are released; in the interim, restrict CLI‑plugin usage and correct folder permissions manually if feasible.
Technical Notes — The flaw stems from overly permissive ACLs on the cli-plugins directory, allowing a low‑privileged process that has escaped the container to write and execute code on the host. Exploitation requires prior container escape, but once achieved, the attacker can leverage the mis‑configured permissions to achieve SYSTEM‑level rights. CVSS 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H). Source: Zero Day Initiative advisory