Kaspersky has found that only one in ten Docker Hub images analysed was fully up to date, with 64 out of 100 sampled images containing critical vulnerabilities capable of enabling remote code execution, crashing server processes, or granting attackers root privileges via local access.
The findings, produced using Kaspersky Container Security (KCS), examined popular Docker Hub images with between 10,000 and one million downloads. Docker Hub, the world’s largest container registry, processes more than 11 billion image pulls monthly — making the security posture of its hosted images a significant enterprise risk.
Why Docker images fall behind on patching
Unlike traditional servers, pre-built Docker images do not receive automated security patches. Developers must manually rebuild and redeploy images to address known vulnerabilities, a process that is frequently deferred. The result is a persistent backlog of unaddressed CVEs embedded in widely used images.
Kaspersky warns that the problem is compounded by a paradox at the heart of container maintenance: infrequent updates leave known vulnerabilities exposed, but frequent updates increase exposure to software supply chain attacks. The company recommends pinning dependencies to known-good versions and conducting mandatory malware scans of all final container images.
Configuration flaws compound the risk
Beyond unpatched software, Kaspersky identified a range of configuration vulnerabilities in the images analysed. These included insecure handling of credentials — such as default passwords set via environment variables or exposed through command-line arguments — privilege escalation pathways that allow attackers to gain root access inside a container, and a lack of integrity checks that leave image builds open to man-in-the-middle attacks during the build phase.
KCS incorporates KIRA, an AI assistant designed to flag insecure configurations and suggest remediation steps. The full research and expert recommendations are published on Securelist.
Infrastructure hosted in containers is an attractive target for attackers: a hijacked container can be used for DDoS attacks, cryptocurrency mining, or traffic proxying. By gaining control of a container, an attacker can steal or destroy data directly from it, access neighbouring containers, or even attempt to escape the container entirely, potentially compromising the broader enterprise network.
The findings arrive as enterprises accelerate containerised workloads across cloud and hybrid environments, raising the stakes for container security hygiene.
