cbcvebase.
CVE-2017-20198
published 2025-07-23

CVE-2017-20198: The Marathon UI in DC/OS < 1.9.0 allows unauthenticated users to deploy arbitrary Docker containers. Due to improper restriction of volume mount…

PriorityP272critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.76%
50.6th percentile
The Marathon UI in DC/OS < 1.9.0 allows unauthenticated users to deploy arbitrary Docker containers. Due to improper restriction of volume mount configurations, attackers can deploy a container that mounts the host's root filesystem (/) with read/write privileges. When using a malicious Docker image, the attacker can write to /etc/cron.d/ on the host, achieving arbitrary code execution with root privileges. This impacts any system where the Docker daemon honors Marathon container configurations without policy enforcement.

Affected

1 ranges
VendorProductVersion rangeFixed in
d2iq_incdc_os_marathon< 1.9.01.9.0

Detection & IOCsextracted from sources · hover to see the quote

path/etc/cron.d/
path/
  • Monitor Marathon UI API calls (unauthenticated) that submit container configurations mounting the host root filesystem '/' with read/write privileges — a strong indicator of exploitation attempts.
  • Alert on new or modified files created under /etc/cron.d/ on DC/OS agent nodes, especially those owned by root and originating from a Docker container process.
  • Detect Docker containers launched via Marathon that run as uid 0 (root) and have host volume mounts — particularly any volume mount targeting '/'.
  • Flag unauthenticated HTTP requests to the Marathon UI endpoint that include container/volume configuration payloads, as the vulnerability allows deployment without authentication on DC/OS < 1.9.0.
  • ·Exploitation only succeeds if there are sufficient resources available in the DC/OS cluster to schedule and deploy the malicious container.
  • ·The malicious Docker image used must be a valid, pullable image from hub.docker.com — purely local or invalid images will not result in successful container deployment.
  • ·The exploit is only effective on systems where the Docker daemon honors Marathon container configurations without policy enforcement (e.g., no AppArmor, SELinux, or admission control blocking privileged volume mounts).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.