2 Sources
2 Sources
[1]
'Delightful' Red Hat OpenShift AI bug allows full takeover
A 9.9 out of 10 severity bug in Red Hat's OpenShift AI service could allow a remote attacker with minimal authentication to steal data, disrupt services, and fully hijack the platform. "A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator," the IBM subsidiary warned in a security alert published earlier this week. "This allows for the complete compromise of the cluster's confidentiality, integrity, and availability," the alert continues. "The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it." Red Hat deemed the vulnerability, tracked as CVE-2025-10725, "important" despite its 9.9 CVSS score, which garners a critical-severity rating from the National Vulnerability Database - and basically any other organization that issues CVEs. This, the vendor explained, is because the flaw requires some level of authentication, albeit minimal, for an attacker to jeopardize the hybrid cloud environment. Users can mitigate the flaw by removing the ClusterRoleBinding that links the kueue-batch-user-role ClusterRole with the system:authenticated group. "The permission to create jobs should be granted on a more granular, as-needed basis to specific users or groups, adhering to the principle of least privilege," Red Hat added. Additionally, the vendor suggests not granting broad permissions to system-level groups. Red Hat didn't immediately respond to The Register's inquiries, including if the CVE has been exploited. We will update this story as soon as we receive any additional information. OpenShift AI is an open platform for building and managing AI applications across hybrid cloud environments. As noted earlier, it includes a ClusterRole named "kueue-batch-user-role." The security issue here exists because this role is incorrectly bound to the system:authenticated group. "This grants any authenticated entity, including low-privileged service accounts for user workbenches, the permission to create OpenShift Jobs in any namespace," according to a Bugzilla flaw-tracking report. One of these low-privileged accounts could abuse this to schedule a malicious job in a privileged namespace, configure it to run with a high-privilege ServiceAccount, exfiltrate that ServiceAccount token, and then "progressively pivot and compromise more powerful accounts, ultimately achieving root access on cluster master nodes and leading to a full cluster takeover," the report said. "Vulnerabilities offering a path for a low privileged user to fully take over an environment needs to be patched in the form of an incident response cycle, seeking to prove that the environment was not already compromised," Trey Ford, chief strategy and trust officer at crowdsourced security company Bugcrow said in an email to The Register. In other words: "Assume breach," Ford added. "The administrators managing OpenShift AI infrastructure need to patch this with a sense of urgency - this is a delightful vulnerability pattern for attackers looking to acquire both access and data," he said. "Security teams must move with a sense of purpose, both verifying that these environments have been patched, then investigating to confirm whether-and-if their clusters have been compromised." ®
[2]
Red Hat OpenShift AI Flaw Exposes Hybrid Cloud Infrastructure to Full Takeover
A severe security flaw has been disclosed in the Red Hat OpenShift AI service that could allow attackers to escalate privileges and take control of the complete infrastructure under certain conditions. OpenShift AI is a platform for managing the lifecycle of predictive and generative artificial intelligence (GenAI) models at scale and across hybrid cloud environments. It also facilitates data acquisition and preparation, model training and fine-tuning, model serving and model monitoring, and hardware acceleration. The vulnerability, tracked as CVE-2025-10725, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been classified by Red Hat as "Important" and not "Critical" in severity owing to the need for a remote attacker to be authenticated in order to compromise the environment. "A low-privileged attacker with access to an authenticated account, for example, as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator," Red Hat said in an advisory earlier this week. "This allows for the complete compromise of the cluster's confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it." The following versions are affected by the flaw - As mitigations, Red Hat is recommending that users avoid granting broad permissions to system-level groups, and "the ClusterRoleBinding that associates the kueue-batch-user-role with the system:authenticated group." "The permission to create jobs should be granted on a more granular, as-needed basis to specific users or groups, adhering to the principle of least privilege," it added.
Share
Share
Copy Link
A severe security flaw in Red Hat's OpenShift AI service could allow attackers to escalate privileges and gain complete control of hybrid cloud environments. The vulnerability, rated 9.9 out of 10 in severity, poses a significant threat to data security and service integrity.
A severe security flaw has been uncovered in Red Hat's OpenShift AI service, potentially exposing hybrid cloud environments to significant risks. The vulnerability, tracked as CVE-2025-10725, has been assigned a near-maximum severity score of 9.9 out of 10 .
The flaw allows a low-privileged attacker with access to an authenticated account, such as a data scientist using a standard Jupyter notebook, to escalate their privileges to that of a full cluster administrator . This escalation can lead to a complete compromise of the cluster's confidentiality, integrity, and availability.
Red Hat has classified the vulnerability as "Important" rather than "Critical," citing the requirement for some level of authentication for exploitation . However, the potential consequences are severe, including:
The vulnerability stems from an incorrect binding of the "kueue-batch-user-role" ClusterRole to the system:authenticated group . This misconfiguration grants any authenticated entity, including low-privileged service accounts for user workbenches, permission to create OpenShift Jobs in any namespace .
An attacker could exploit this by scheduling a malicious job in a privileged namespace, configuring it to run with a high-privilege ServiceAccount, and exfiltrating that ServiceAccount token. This process allows for progressive pivoting and compromise of more powerful accounts, potentially leading to root access on cluster master nodes and full cluster takeover .
Red Hat has provided several mitigation strategies for affected users:
Related Stories
Trey Ford, chief strategy and trust officer at Bugcrowd, emphasizes the urgency of addressing this vulnerability:
"Administrators managing OpenShift AI infrastructure need to patch this with a sense of urgency - this is a delightful vulnerability pattern for attackers looking to acquire both access and data," Ford stated .
He further advises organizations to "assume breach" and conduct thorough investigations to confirm whether their clusters have been compromised .
The vulnerability affects multiple versions of Red Hat OpenShift AI, highlighting the importance of prompt patching and security reviews across hybrid cloud environments . As AI and machine learning technologies become increasingly integrated into enterprise infrastructure, vulnerabilities like CVE-2025-10725 underscore the critical need for robust security measures in AI-driven platforms.
Summarized by
Navi
[1]