📄 Description (English)
Docker Desktop Community Edition Privilege Escalation Vulnerability — Docker Desktop Community Edition contains a vulnerability that may allow local users to escalate privileges by placing a trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\.
🤖 AI Executive Summary
Docker Desktop Community Edition contains a critical local privilege escalation vulnerability (CVSS 9.0) that allows local users to escalate privileges by placing a malicious trojan horse executable (docker-credential-wincred.exe) in the %PROGRAMDATA%\DockerDesktop\version-bin\ directory. An attacker with local access can exploit this path hijacking weakness to execute arbitrary code with elevated privileges. A public exploit is available, significantly increasing the risk of active exploitation. Organizations using Docker Desktop on Windows endpoints are directly exposed to this threat.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 14, 2026 13:11
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations leveraging containerization and DevOps pipelines are most at risk, particularly technology teams within banking institutions regulated by SAMA, government digital transformation projects under NCA oversight, and energy sector IT/OT environments such as Saudi Aramco and SABIC. Developer workstations and CI/CD build servers running Docker Desktop on Windows are primary attack surfaces. In Saudi Arabia's rapidly expanding cloud-native and Vision 2030 digital infrastructure, widespread Docker Desktop adoption among developers in telecom (STC, Mobily), fintech startups, and government agencies (SDAIA, ZATCA) amplifies exposure. A compromised developer machine can serve as a pivot point for supply chain attacks, lateral movement, and credential theft across enterprise networks.
🏢 Affected Saudi Sectors
Banking
Government
Energy
Telecom
Healthcare
Technology
Financial Services
⚖️ Saudi Risk Score (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all Windows endpoints running Docker Desktop Community Edition across the organization using asset inventory tools.
2. Restrict write permissions to %PROGRAMDATA%\DockerDesktop\version-bin\ so only SYSTEM and Administrators can write to this directory.
3. Audit the directory for any unauthorized or suspicious executables, especially docker-credential-wincred.exe with unexpected hashes.
Patching Guidance:
4. Upgrade Docker Desktop to version 2.1.0.1 or later, which addresses this vulnerability.
5. Prioritize patching on developer workstations, CI/CD servers, and any shared build environments.
Compensating Controls:
6. Apply the principle of least privilege — ensure standard users cannot write to system-level program data directories.
7. Deploy application whitelisting (e.g., Windows Defender Application Control / AppLocker) to prevent execution of unauthorized binaries from %PROGRAMDATA% paths.
8. Enable Windows Event Log auditing on the affected directory for file creation and modification events.
Detection Rules:
9. Create SIEM alerts for new file creation events in %PROGRAMDATA%\DockerDesktop\version-bin\ by non-administrative accounts.
10. Monitor for process execution of docker-credential-wincred.exe with parent processes other than expected Docker services.
11. Hash-verify docker-credential-wincred.exe against known-good values using EDR tools.
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع أجهزة Windows التي تعمل عليها Docker Desktop Community Edition باستخدام أدوات جرد الأصول.
2. تقييد صلاحيات الكتابة على المسار %PROGRAMDATA%\DockerDesktop\version-bin\ بحيث يقتصر الوصول على حسابات SYSTEM والمسؤولين فقط.
3. مراجعة المجلد بحثاً عن أي ملفات تنفيذية غير مصرح بها أو مشبوهة، خاصةً docker-credential-wincred.exe ذات قيم تجزئة غير متوقعة.
إرشادات التصحيح:
4. الترقية إلى Docker Desktop الإصدار 2.1.0.1 أو أحدث الذي يعالج هذه الثغرة.
5. إعطاء الأولوية للتصحيح على محطات عمل المطورين وخوادم CI/CD وبيئات البناء المشتركة.
ضوابط التعويض:
6. تطبيق مبدأ الحد الأدنى من الصلاحيات لضمان عدم قدرة المستخدمين العاديين على الكتابة في مجلدات بيانات البرامج على مستوى النظام.
7. نشر قوائم السماح للتطبيقات (مثل Windows Defender Application Control / AppLocker) لمنع تنفيذ الملفات الثنائية غير المصرح بها من مسارات %PROGRAMDATA%.
8. تفعيل تدقيق سجلات أحداث Windows على المجلد المتأثر لرصد أحداث إنشاء الملفات وتعديلها.
قواعد الكشف:
9. إنشاء تنبيهات SIEM لأحداث إنشاء ملفات جديدة في المسار المتأثر من قبل حسابات غير إدارية.
10. مراقبة تنفيذ docker-credential-wincred.exe مع عمليات أصل غير متوقعة.
11. التحقق من قيم التجزئة لـ docker-credential-wincred.exe مقارنةً بالقيم المعروفة باستخدام أدوات EDR.
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-2-1: Cybersecurity Risk Management
ECC-3-3-3: Endpoint Security — Least Privilege Enforcement
ECC-3-3-5: Patch and Vulnerability Management
ECC-3-3-6: Application Whitelisting and Execution Control
ECC-3-1-2: Identity and Access Management — Privilege Control
🔵 SAMA CSF
3.3.4 — Vulnerability Management
3.3.6 — Patch Management
3.3.2 — Endpoint Protection
3.2.2 — Identity and Access Management
3.3.9 — Security Monitoring and Logging
🟡 ISO 27001:2022
A.8.8 — Management of Technical Vulnerabilities
A.8.2 — Privileged Access Rights
A.8.19 — Installation of Software on Operational Systems
A.8.15 — Logging
A.5.10 — Acceptable Use of Information and Other Associated Assets
🟣 PCI DSS v4.0
Requirement 6.3.3 — All system components are protected from known vulnerabilities by installing applicable security patches
Requirement 7.2 — Access to system components and data is appropriately defined and assigned
Requirement 10.2 — Audit logs capture all individual user access to cardholder data
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Docker:Desktop Community Edition