Attackers Exploit Unsecured Docker Daemons to Deploy Containers and Hijack Hosts
Palo Alto Networks Unit 42 reported that attackers are actively targeting unsecured Docker daemons exposed to the internet, using the Docker API to create and run malicious containers on victim systems. By abusing misconfigured deployments that lack proper access controls, intruders can gain effective control of the underlying host, execute arbitrary workloads, and use compromised infrastructure for follow-on activity such as cryptomining, persistence, and broader cloud or network compromise.
The report details attacker tradecraft focused on exposed container management interfaces, where adversaries issue Docker commands remotely to pull attacker-controlled images and launch privileged containers that can interact with the host environment. The activity highlights a recurring cloud security risk: organizations that leave Docker services reachable without authentication can enable rapid compromise of containerized environments and the systems that support them.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Unit 42 publishes research on attacks targeting unsecured Docker daemons
Palo Alto Networks Unit 42 published a report detailing attackers' tactics and techniques used against unsecured Docker daemons. The reference indicates public disclosure of the findings but provides no additional dated events in the content.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Docker Engine AuthZ Bypass Flaw Enables Host Access via Oversized API Requests
Docker disclosed a high-severity Docker Engine vulnerability, **CVE-2026-34040** (`CVSS 8.8`), that allows attackers to bypass authorization plugins and perform actions that should be blocked. The flaw stems from an incomplete fix for **CVE-2024-41110** and is triggered when a specially crafted oversized Docker API request causes the request body to be dropped before inspection by an AuthZ plugin. In affected environments, the plugin may approve container operations it would otherwise deny, opening a path to unauthorized privileged actions and potential host compromise. Researchers said an attacker with Docker API access could exploit the bug by padding a container-creation request beyond **1 MB** to launch a privileged container with access to the host filesystem, exposing sensitive assets such as **AWS credentials**, **SSH keys**, and **Kubernetes configurations**. The issue affects deployments that rely on authorization plugins inspecting request bodies, while environments not using those plugins are not impacted. Docker patched the vulnerability in **Docker Engine 29.3.1** and urged defenders to upgrade, restrict Docker API access, avoid AuthZ plugins that depend on request-body inspection, and use controls such as rootless mode, user namespace remapping, and least-privilege access to reduce risk.
Apr 8, 2026
Attackers chained PAN-OS flaws to seize Palo Alto firewalls and deploy malware
Threat actors exploited internet-exposed Palo Alto Networks PAN-OS management interfaces by chaining **`CVE-2024-0012`** and **`CVE-2024-9474`**, a combination that enabled authentication bypass followed by privilege escalation to run arbitrary commands as **root** on affected firewall devices. Security reporting described a surge in exploitation after public disclosure, with campaigns targeting exposed firewalls and quickly moving from initial access to hands-on post-compromise activity. Investigators observed attackers validating exploitation with OAST domains, retrieving payloads with tools such as `curl` and `wget`, and establishing **Sliver** command-and-control. Follow-on activity included downloads of ELF, shell script, and PHP payloads, persistence through cron jobs and web shells, suspicious TLS traffic without SNI, use of uncommon ports, reconnaissance, lateral movement, and cryptomining tied to infrastructure including **herominers** and **xmrig**. One repeatedly downloaded payload, **`/palofd`** from **`38.180.147[.]18`** with SHA1 **`90f6890fa94b25fbf4d5c49f1ea354a023e06510`**, was linked by open-source reporting to **Spectre RAT**, indicating that compromised perimeter devices were being used for broader intrusion activity rather than simple opportunistic exploitation.
May 25, 2026
Docker and Docker Desktop Flaws Expose Systems to Security Bypass Risks
German authorities issued advisories for **multiple vulnerabilities in Docker** and a separate **Docker Desktop flaw that allows security measures to be bypassed**, highlighting security risks across both the container engine ecosystem and the desktop management platform. The notices identify Docker broadly as affected in one case, while the other specifically warns that Docker Desktop contains a vulnerability that could let attackers circumvent intended protections. The paired advisories indicate that organizations using Docker in development or production environments may face exposure from both general software weaknesses and a more targeted bypass issue in Docker Desktop. Security teams should review affected versions, assess where Docker and Docker Desktop are deployed, and prioritize vendor guidance and patching to reduce the risk of unauthorized access or weakened container security controls.
Apr 24, 2026