Warning: Elevation of Privileges in Red Hat OpenShift AI, Patch Immediately!

Image
Decorative image
Gepubliceerd : 01/10/2025

 

    * Last update:  01/10/2025
   
    * Affected software: Red Hat OpenShift AI
 
    * Type: Elevation of Privileges (EoP)
 
    * CVE/CVSS: CVE-2025-10725: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

 

Sources

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10725
Red Hat Advisory: https://access.redhat.com/security/cve/cve-2025-10725
RHEL8 bug Fix advisory: https://access.redhat.com/errata/RHBA-2025:16984
RHEL9 bug fix advisory: https://access.redhat.com/errata/RHBA-2025:16983
 

Risks

A low-privileged attacker with access to an authenticated account, such as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster's confidentiality, integrity, and availability.
The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it. The Red Hat security bulletin does not mention exploitation in the wild.
 

Description

Red Hat OpenShift AI is a platform built on Kubernetes (via OpenShift) that streamlines the entire machine learning (ML) and artificial intelligence (AI) lifecycle. It offers data scientists and ML engineers tools like Jupyter notebooks, pipeline orchestration, optimized model serving (including support for large language models via vLLM), and model versioning. This environment can run on-premises, in the cloud, or at the edge.

CVE-2025-10725 poses a critical risk for organizations leveraging Red Hat OpenShift AI for AI and/or machine learning workloads. An incorrectly bound ClusterRole grants, any authenticated entity, including low-privileged service accounts for user workbenches, the permission to create OpenShift Jobs in any namespace. An attacker can abuse this misconfigured permission to schedule a malicious Job in a privileged namespace (e.g., openshift-apiserver-operator), configuring it to run with a high-privilege ServiceAccount. The Job can then exfiltrate the ServiceAccount token, allowing the attacker to progressively pivot and compromise more powerful accounts, ultimately achieving root access on cluster master nodes and leading to a full cluster takeover.

Recommended Actions

 
Patch  
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Mitigate
If patching is not immediately possible, the Centre for Cybersecurity Belgium strongly recommends to remove the prerequisites for successful exploitation. Please see the vendor recommended mitigations for more information. 

Monitor/Detect 

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
 
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.