A critical privilege escalation vulnerability (CVE-2025-10725, CVSS 9.9) was discovered in **Red Hat OpenShift AI**, a platform for managing AI/ML workloads across hybrid clouds. The flaw allows a low-privileged authenticated attacker (e.g., a data scientist with standard Jupyter notebook access) to escalate privileges to **full cluster administrator**, compromising the entire infrastructure. This enables theft of sensitive data, disruption of all hosted services, and complete takeover of the underlying systems—posing a **total breach risk** to the platform and its applications.Affected versions include **OpenShift AI 2.19, 2.21, and RHOAI**. While Red Hat classified it as *'Important'* (due to the authentication prerequisite), the impact is severe: attackers could **exfiltrate proprietary AI models, customer data, or internal research**, halt critical operations, or pivot to broader network infiltration. Mitigations involve restricting broad permissions (e.g., `kueue-batch-user-role` bindings) and enforcing least-privilege access for job creation. The vulnerability underscores risks in AI/ML infrastructure, where compromised environments could lead to **operational shutdowns, intellectual property theft, or cascading supply-chain attacks**.
Source: https://thehackernews.com/2025/10/critical-red-hat-openshift-ai-flaw.html
TPRM report: https://www.rankiteo.com/company/red-hat
"id": "red1694016100125",
"linkid": "red-hat",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Users of Red Hat OpenShift AI '
'2.19, 2.21, and RHOAI',
'industry': 'Technology / Cloud Computing',
'location': 'Global',
'name': 'Red Hat',
'type': 'Organization (Software Vendor)'}],
'attack_vector': 'Authenticated remote attacker exploiting improper '
'permission assignments in OpenShift AI',
'customer_advisories': ['Restrict permissions as outlined in the advisory',
'Review access controls for data scientists and other '
'low-privilege roles'],
'data_breach': {'data_exfiltration': 'Possible (if attacker steals sensitive '
'data)',
'sensitivity_of_data': 'High (includes AI/ML models, training '
'data, and operational data)',
'type_of_data_compromised': ['Sensitive data stored in '
'OpenShift AI clusters',
'Potentially all data hosted on '
'the platform']},
'description': 'A severe security flaw (CVE-2025-10725, CVSS 9.9) in Red Hat '
'OpenShift AI allows authenticated low-privileged attackers '
'(e.g., data scientists with standard Jupyter notebook access) '
'to escalate privileges to full cluster administrator. This '
'enables complete compromise of the cluster’s confidentiality, '
'integrity, and availability, including theft of sensitive '
'data, service disruption, and infrastructure takeover. '
'Affected versions include Red Hat OpenShift AI 2.19, 2.21, '
'and RHOAI. Mitigations include restricting broad permissions '
'to system-level groups and adhering to the principle of least '
'privilege for job creation permissions.',
'impact': {'brand_reputation_impact': 'High (due to potential total breach of '
'AI/ML platforms)',
'data_compromised': ['Sensitive data hosted on the cluster'],
'downtime': 'Potential total disruption of services',
'operational_impact': 'Complete compromise of confidentiality, '
'integrity, and availability',
'systems_affected': ['Red Hat OpenShift AI clusters (versions '
'2.19, 2.21, RHOAI)',
'Jupyter notebook environments',
'Underlying infrastructure and hosted '
'applications']},
'initial_access_broker': {'entry_point': 'Authenticated low-privilege account '
'(e.g., data scientist with Jupyter '
'notebook access)',
'high_value_targets': ['OpenShift AI cluster '
'administrator privileges',
'Underlying infrastructure '
'control']},
'investigation_status': 'Disclosed; mitigations provided, no patch yet',
'post_incident_analysis': {'corrective_actions': ['Remove broad '
'`ClusterRoleBinding` '
'associations',
'Implement least-privilege '
'access for job creation'],
'root_causes': ['Over-permissive '
'`ClusterRoleBinding` for '
'`system:authenticated` group',
'Lack of granular permission '
'controls for job creation']},
'recommendations': ['Apply the principle of least privilege for all '
'permissions, especially job creation in OpenShift AI.',
'Audit and restrict `ClusterRoleBinding` associations to '
'prevent over-permissive access.',
'Monitor for unauthorized privilege escalation attempts '
'in AI/ML platforms.',
'Update to patched versions of OpenShift AI once '
'available.'],
'references': [{'source': 'Red Hat Security Advisory'}],
'response': {'communication_strategy': ['Public advisory released by Red Hat'],
'containment_measures': ['Avoid granting broad permissions to '
'system-level groups (e.g., '
'`system:authenticated`)',
'Remove or restrict the '
'`ClusterRoleBinding` associating '
'`kueue-batch-user-role` with '
'`system:authenticated`'],
'remediation_measures': ['Grant job creation permissions on a '
'granular, as-needed basis',
'Adhere to the principle of least '
'privilege']},
'stakeholder_advisories': ['Red Hat customers using OpenShift AI 2.19, 2.21, '
'or RHOAI'],
'title': 'Critical Privilege Escalation Vulnerability in Red Hat OpenShift AI '
'(CVE-2025-10725)',
'type': 'Privilege Escalation / Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2025-10725 (CVSS 9.9)'}