CVE-2017-20198

CRITICAL

DC/OS Marathon < 1.9.0 - Docker Root Mount Code Execution

Title source: manual

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-20198. PoCs published by Metasploit, including Metasploit module exploits/linux/http/dcos_marathon.

AI-analyzed exploit summary This Metasploit module exploits a vulnerability in DC/OS Marathon UI to create a Docker container with host filesystem access, allowing arbitrary file creation/modification as root via a cron job. It leverages Docker volume mounting to achieve privilege escalation on the host system.

Description

The Marathon UI in DC/OS < 1.9.0 allows unauthenticated users to deploy arbitrary Docker containers. Due to improper restriction of volume mount configurations, attackers can deploy a container that mounts the host's root filesystem (/) with read/write privileges. When using a malicious Docker image, the attacker can write to /etc/cron.d/ on the host, achieving arbitrary code execution with root privileges. This impacts any system where the Docker daemon honors Marathon container configurations without policy enforcement.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotepython

https://www.exploit-db.com/exploits/42134

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in DC/OS Marathon UI to create a Docker container with host filesystem access, allowing arbitrary file creation/modification as root via a cron job. It leverages Docker volume mounting to achieve privilege escalation on the host system.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: DC/OS Marathon UI (versions prior to patch)

Auth required

Prerequisites: Access to Marathon UI API · Valid Docker image from hub.docker.com · Available cluster resources

MITRE ATT&CK

T1610 - Deploy Container T1053 - Scheduled Task/Job T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocpython

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/dcos_marathon.rb

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in DC/OS Marathon UI to create a Docker container with host filesystem access, allowing an attacker to write a cron job for persistent remote code execution. It leverages Docker volume mounting to gain root-level file system manipulation on the host.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: DC/OS Marathon UI (versions affected by CVE-2017-20198)

Auth required

Prerequisites: Access to DC/OS Marathon UI · Valid Docker image from hub.docker.com · Available resources in the DC/OS cluster

MITRE ATT&CK

T1059.004 - Unix Shell T1053.003 - Cron T1611 - Escape to Host

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/42134

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dcos_marathon.rb

Various Sources technical-description

https://web.archive.org/web/20230609134421/https://warroom.rsmus.com/dcos-marathon-compromise/

Various Sources product

https://dcos.io/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/dcos-marathon-docker-mount-abuse-rce

Scores

CVSS v4 9.3

EPSS 0.7296

EPSS Percentile 98.8%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-732

Status published

Products (1)

D2iQ, Inc./DC/OS Marathon < 1.9.0

Published Jul 23, 2025

Tracked Since Feb 18, 2026