diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 227d105f8e..9ce1a6d92a 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -55,7 +55,7 @@ jobs:
           make -f docker.Makefile test-e2e-${{ matrix.target }}
         env:
           BASE_VARIANT: ${{ matrix.base }}
-          E2E_ENGINE_VERSION: ${{ matrix.engine-version }}
+          ENGINE_VERSION: ${{ matrix.engine-version }}
           TESTFLAGS: -coverprofile=/tmp/coverage/coverage.txt
       -
         name: Send to Codecov
diff --git a/docker.Makefile b/docker.Makefile
index bddd91a2a5..011bfd9b68 100644
--- a/docker.Makefile
+++ b/docker.Makefile
@@ -14,13 +14,13 @@ PACKAGER_NAME ?=
 
 DEV_DOCKER_IMAGE_NAME = docker-cli-dev$(IMAGE_TAG)
 E2E_IMAGE_NAME = docker-cli-e2e
-E2E_ENGINE_VERSION ?=
+ENGINE_VERSION ?=
 CACHE_VOLUME_NAME := docker-cli-dev-cache
 ifeq ($(DOCKER_CLI_GO_BUILD_CACHE),y)
 DOCKER_CLI_MOUNTS += -v "$(CACHE_VOLUME_NAME):/root/.cache/go-build"
 endif
 VERSION = $(shell cat VERSION)
-ENVVARS = -e VERSION=$(VERSION) -e GITCOMMIT -e PLATFORM -e TESTFLAGS -e TESTDIRS -e GOOS -e GOARCH -e GOARM -e TEST_ENGINE_VERSION=$(E2E_ENGINE_VERSION)
+ENVVARS = -e VERSION=$(VERSION) -e GITCOMMIT -e PLATFORM -e TESTFLAGS -e TESTDIRS -e GOOS -e GOARCH -e GOARM -e ENGINE_VERSION
 
 # Some Dockerfiles use features that are only supported with BuildKit enabled
 export DOCKER_BUILDKIT=1
@@ -132,21 +132,21 @@ test-e2e: test-e2e-non-experimental test-e2e-experimental test-e2e-connhelper-ss
 
 .PHONY: test-e2e-experimental
 test-e2e-experimental: build-e2e-image # run experimental e2e tests
-	docker run --rm $(ENVVARS) -e DOCKERD_EXPERIMENTAL=1 -e TEST_ENGINE_VERSION=$(E2E_ENGINE_VERSION) \
+	docker run --rm $(ENVVARS) -e DOCKERD_EXPERIMENTAL=1 \
 		--mount type=bind,src=$(CURDIR)/build/coverage,dst=/tmp/coverage \
 		--mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \
 		$(E2E_IMAGE_NAME)
 
 .PHONY: test-e2e-non-experimental
 test-e2e-non-experimental: build-e2e-image # run non-experimental e2e tests
-	docker run --rm $(ENVVARS) -e TEST_ENGINE_VERSION=$(E2E_ENGINE_VERSION) \
+	docker run --rm $(ENVVARS) \
 		--mount type=bind,src=$(CURDIR)/build/coverage,dst=/tmp/coverage \
 		--mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \
 		$(E2E_IMAGE_NAME)
 
 .PHONY: test-e2e-connhelper-ssh
 test-e2e-connhelper-ssh: build-e2e-image # run experimental SSH-connection helper e2e tests
-	docker run --rm $(ENVVARS) -e DOCKERD_EXPERIMENTAL=1 -e TEST_ENGINE_VERSION=$(E2E_ENGINE_VERSION) -e TEST_CONNHELPER=ssh \
+	docker run --rm $(ENVVARS) -e DOCKERD_EXPERIMENTAL=1 -e TEST_CONNHELPER=ssh \
 		--mount type=bind,src=$(CURDIR)/build/coverage,dst=/tmp/coverage \
 		--mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \
 		$(E2E_IMAGE_NAME)
diff --git a/e2e/compose-env.connhelper-ssh.yaml b/e2e/compose-env.connhelper-ssh.yaml
index 2a91ab48fe..283e306fbc 100644
--- a/e2e/compose-env.connhelper-ssh.yaml
+++ b/e2e/compose-env.connhelper-ssh.yaml
@@ -3,5 +3,7 @@ services:
       build:
         context: ./testdata
         dockerfile: Dockerfile.connhelper-ssh
+        args: 
+          - ENGINE_VERSION
       environment:
         - TEST_CONNHELPER_SSH_ID_RSA_PUB
diff --git a/e2e/compose-env.yaml b/e2e/compose-env.yaml
index 9eade791b0..2a30e1040e 100644
--- a/e2e/compose-env.yaml
+++ b/e2e/compose-env.yaml
@@ -1,9 +1,10 @@
 services:
+
   registry:
     image: 'registry:2'
 
   engine:
-      image: 'docker:${TEST_ENGINE_VERSION:-stable-dind}'
+      image: 'docker:${ENGINE_VERSION:-25.0}-dind'
       privileged: true
       command: ['--insecure-registry=registry:5000']
       environment:
@@ -16,6 +17,7 @@ services:
       ports:
         - 4443:4443
       command: ['notary-server', '-config=/fixtures/notary-config.json']
+
   evil-notary-server:
       build:
         context: ./testdata
diff --git a/e2e/testdata/Dockerfile.connhelper-ssh b/e2e/testdata/Dockerfile.connhelper-ssh
index 64306b518c..3771f3e62f 100644
--- a/e2e/testdata/Dockerfile.connhelper-ssh
+++ b/e2e/testdata/Dockerfile.connhelper-ssh
@@ -1,5 +1,16 @@
-FROM docker:test-dind
-RUN apk --no-cache add shadow openssh-server && \
+# syntax=docker/dockerfile:1
+
+# ENGINE_VERSION is the version of the (docker-in-docker) Docker Engine to
+# test against.
+ARG ENGINE_VERSION=25.0
+
+FROM docker:${ENGINE_VERSION}-dind
+
+# the openssh-client update is needed for security reasons when using docker:23.0-dind, currently maintained as an lts by mirantis
+RUN apk --no-cache upgrade openssh-client && \
+  apk --no-cache add shadow openssh-server && \
+  # TODO(krissetto): `groupadd` can be removed once we only test against moby >= v24
+  # see https://github.com/docker-library/docker/pull/470
   groupadd -f docker && \
   useradd --create-home --shell /bin/sh --password $(head -c32 /dev/urandom | base64) penguin && \
   usermod -aG docker penguin && \
diff --git a/e2e/testdata/Dockerfile.evil-notary-server b/e2e/testdata/Dockerfile.evil-notary-server
index d982d5a4eb..97f234e849 100644
--- a/e2e/testdata/Dockerfile.evil-notary-server
+++ b/e2e/testdata/Dockerfile.evil-notary-server
@@ -1,4 +1,7 @@
+# syntax=docker/dockerfile:1
+
 ARG NOTARY_VERSION=0.6.1
+
 FROM notary:server-${NOTARY_VERSION}
 
 COPY ./notary-evil/ /fixtures/
diff --git a/e2e/testdata/Dockerfile.notary-server b/e2e/testdata/Dockerfile.notary-server
index 4bc59d2d88..846253e2fb 100644
--- a/e2e/testdata/Dockerfile.notary-server
+++ b/e2e/testdata/Dockerfile.notary-server
@@ -1,4 +1,7 @@
+# syntax=docker/dockerfile:1
+
 ARG NOTARY_VERSION=0.6.1
+
 FROM notary:server-${NOTARY_VERSION}
 
 COPY ./notary/ /fixtures/