Today’s Topics:

• SDocker Fixes CVE-2025-9074: Critical Container Escape Vulnerability in Docker Desktop
• New Attack Technique Uses RAR Filenames to Deploy VShell Backdoor on Linux
• How can Netizen help?

SDocker Fixes CVE-2025-9074: Critical Container Escape Vulnerability in Docker Desktop

Docker has released an urgent patch addressing CVE-2025-9074, a critical container escape vulnerability impacting Docker Desktop for Windows and macOS. Rated CVSS 9.3, this flaw could allow a malicious container to break out of isolation, compromise host systems, and access sensitive files.

The issue is fixed in Docker Desktop version 4.44.3, and security teams are strongly advised to update immediately.

The flaw stems from how Docker Desktop handled access to the Docker Engine API. Researcher Felix Boulet discovered that containers could communicate with the API at 192.168.65[.]7:2375 without authentication.

This design oversight meant that a malicious or compromised container could:

• Launch new containers without needing the Docker socket.
• Bind the host’s C:\ drive (on Windows) to the container, granting read/write access.
• Escalate privileges by modifying critical system files or DLLs.

A proof-of-concept (PoC) exploit showed that a simple web request from a container could mount the host filesystem and compromise the system.

Researcher Philippe Dugre (zer0x64) demonstrated that attackers could escalate privileges to full administrator access. By mounting the host filesystem, an attacker could:

• Read sensitive files, including credentials.
• Overwrite system DLLs to persist as an admin.
• Deploy backdoors for long-term host compromise.

Linux systems are not impacted by CVE-2025-9074. Docker on Linux communicates with the Engine API through a named pipe rather than a TCP socket, preventing the same attack vector.

The primary risk comes from malicious containers controlled by threat actors. However, researchers warn that an SSRF (Server-Side Request Forgery) vulnerability in a separate application could also proxy requests to the Docker API, making exploitation possible without direct container access.

Depending on request methods available (POST, PATCH, DELETE), attackers could remotely spin up privileged containers and escape to the host.

Mitigation and Recommendations

• Update immediately to Docker Desktop 4.44.3 or later.
• Avoid running untrusted containers, particularly from public sources.
• Restrict Docker Engine API access and monitor for suspicious container launches.
• Audit host systems for unauthorized file changes or DLL modifications (Windows).

Organizations that rely on containers in production should treat this as a high-priority incident and integrate Docker security monitoring into their broader DevSecOps practices.

New Attack Technique Uses RAR Filenames to Deploy VShell Backdoor on Linux

Cybersecurity researchers have identified a new Linux malware campaign that abuses malicious RAR archive filenames to deliver the VShell backdoor. The technique allows attackers to bypass traditional antivirus detection by hiding payloads in the filename itself rather than in the file contents.

The attack begins with phishing emails disguised as invitations to a beauty product survey offering a monetary reward. These messages include a RAR archive attachment named yy.rar. Inside the archive is a file with a specially crafted filename containing embedded Bash commands.

Example filename:

ziliao2.pdf`{echo,<Base64-encoded command>}|{base64,-d}|bash`

When a shell script or command interprets the filename, the embedded payload executes. This leads to the download of an ELF binary tailored to the victim’s architecture, which then connects to a command-and-control server to retrieve and execute the encrypted VShell backdoor.

Traditional antivirus tools scan file contents, not file names. Since the malicious logic resides in the filename, the payload slips past conventional detection methods. Execution only occurs when the filename is parsed by the shell, not when the archive is extracted, adding another layer of stealth.

VShell is a Go-based remote access tool used by multiple threat groups, including UNC5174. It provides remote shell access, file operations, process management, port forwarding, and encrypted communication. Because it runs entirely in memory, VShell avoids leaving disk artifacts that could be detected during forensic analysis.

In addition to VShell delivery, researchers at Picus Security detailed a Linux malware tool called RingReaper. This tool leverages the Linux kernel’s io_uring framework to evade detection by endpoint monitoring tools. By replacing traditional system calls with io_uring primitives, RingReaper avoids hooks commonly used by EDR solutions.

RingReaper is capable of enumerating system processes, network sessions, and logged-in users, while also enabling privilege escalation through SUID binaries. It can erase traces of its activity after execution, making detection even more difficult.

Organizations should harden their defenses by sanitizing shell input in scripts, deploying behavioral-based detection systems, and analyzing archive attachments beyond just file content. Linux EDR tools need to adapt to io_uring-based activity, while user awareness training should reinforce caution around unexpected email attachments.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.