Red Hat OpenShift AI Vulnerability Lets Attackers Seize Infrastructure Control

A critical flaw in the Red Hat OpenShift AI (RHOAI) service allows attackers with minimal access to escalate privileges and seize full control of entire clusters.

Identified as CVE-2025-10725, the vulnerability stems from an overly permissive ClusterRole assignment that links the built-in system: authenticated group to the kueue-batch-user-role.

This misconfiguration grants any authenticated user broad job-creation rights across the cluster, enabling privilege escalation, data theft, service disruption, and complete infrastructure compromise.

Risk Factor Table

CVE IDAffected ComponentCVSS v3.1 Score (Red Hat)
CVE-2025-10725Red Hat OpenShift AI Service (rhoai/odh-rhel8-operator, rhoai/odh-rhel9-operator)9.9 (Important)

Vulnerability Details

The flaw resides in a ClusterRoleBinding that indiscriminately associates system: authenticated, which includes any user with a valid login, with the kueue-batch-user-role.

Users such as data scientists operating standard Jupyter notebook accounts gain the ability to create job clusters.

By crafting malicious jobs that run with elevated privileges, an attacker can hijack the cluster control plane.

Once administrative privileges are obtained, the threat actor can:

  • Steal sensitive data stored within pods and persistent volumes
  • Disrupt or disable mission-critical services
  • Deploy backdoors or malware for persistent access
  • Control underlying infrastructure components

Red Hat assigns a CVSS v3.1 score of 9.9, rating the issue as Important rather than Critical because exploitation requires authentication.

However, the practical risk is severe, since many organizations grant data scientists and analysts extensive rights for job scheduling and batch workloads.

Organizations that provide broad job-creation permissions to large user groups are particularly exposed.

An attacker exploiting CVE-2025-10725 can move laterally, gaining persistent control over analytics workloads, model training pipelines, and even core platform services.

The vulnerability undermines tenant isolation in multi-tenant environments and can facilitate cross-project attacks.

Mitigation Recommendations

To remediate this vulnerability, administrators should apply strict least-privilege principles:

  1. Revoke the offending ClusterRoleBinding: Remove any bindings that attach kueue-batch-user-role to system: authenticated.
  2. Define explicit job-creation roles: Assign the kueue-batch-user-role only to specific user accounts or groups that require batch job permissions.
  3. Audit existing roles and bindings: Review all ClusterRoleBindings for overly broad assignments and ensure permissions align with actual job requirements.
  4. Enforce separation of duties: Maintain distinct roles for development, analytics, and administrative functions to limit privilege escalation paths.

These steps reduce the attack surface by restricting administrative capabilities to trusted identities, ensuring that data scientists and other non-administrative users cannot escalate privileges.

CVE-2025-10725 serves as a stark reminder of the dangers inherent in overly permissive role configurations within Kubernetes-powered AI platforms.

Security teams must proactively govern cluster permissions, conduct regular audits of role and binding assignments, and enforce least-privilege policies to guard against privilege escalation.

Vigilant permission management is essential to maintain the integrity of AI-driven services and protect sensitive data and workloads.

Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates

AnuPriya
AnuPriya
Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here