CVE-2019-15752

HIGH KEV

Docker Desktop Community Edition < 2.1.0.1 - Privilege Escalation via Trojan Horse docker-credential-wincred.exe

Title source: llm

Exploitation Summary

CVE-2019-15752 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 2 public exploits from researchers including Metasploit, Morgan Roman, bwatters-r7, including a Metasploit module exploits/windows/local/docker_credential_wincred.

AI-analyzed exploit summary This Metasploit module exploits CVE-2019-15752, a privilege escalation vulnerability in Docker Desktop for Windows. It writes a malicious payload to a low-privilege directory, which is then executed by the Docker service upon user login, achieving local privilege escalation.

Description

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows

https://www.exploit-db.com/exploits/48388

View Code ZIP pw:eip

This Metasploit module exploits CVE-2019-15752, a privilege escalation vulnerability in Docker Desktop for Windows. It writes a malicious payload to a low-privilege directory, which is then executed by the Docker service upon user login, achieving local privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Docker Desktop for Windows < 2.1.0.1

Auth required

Prerequisites: Local access to the target system · Docker Desktop for Windows < 2.1.0.1 installed · User with sufficient privileges to write to the target directory

MITRE ATT&CK

T1548.002 - Bypass User Account Control T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC MANUAL

by Morgan Roman, bwatters-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/docker_credential_wincred.rb

View Code ZIP pw:eip

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Docker Desktop for Windows < 2.1.0.1

Auth required

Prerequisites: Local access to a vulnerable Docker Desktop installation · User interaction (login) to trigger payload execution

MITRE ATT&CK

T1548.002 - Bypass User Account Control T1059.001 - PowerShell

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory x_refsource_misc

https://medium.com/%40morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157404/Docker-Credential-Wincred.exe-Privilege-Escalation.html

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-15752

Scores

CVSS v3 7.8

EPSS 0.4518

EPSS Percentile 97.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-11-03

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2019-6687

CWE

CWE-732

Status published

Products (2)

apache/geode 1.12.0

docker/docker < 2.1.0.1

Published Aug 28, 2019

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026