Red Hat has issued a security advisory, CVE-2025-10725, highlighting a significant vulnerability within its OpenShift AI Service. This flaw enables attackers with minimal privileges to escalate their access to that of a full cluster administrator, potentially compromising the entire platform. With a CVSS v3 base score of 9.9, this vulnerability presents a critical risk to organizations utilizing Red Hat OpenShift AI for machine learning workloads.
Understanding the Vulnerability (CVE-2025-10725):
The core issue stems from an overly permissive ClusterRoleBinding that links the `kueue-batch-user-role` with the `system:authenticated` group. In standard deployments, authenticated users, such as data scientists, access Jupyter notebooks and AI pipeline features with limited privileges. However, this misconfiguration allows an attacker to exploit the `batch.kueue.openshift.io` API to create arbitrary Job and Pod resources.
By doing so, the attacker can:
– Inject malicious containers or init-containers that execute `oc` or `kubectl` commands.
– Chain privilege escalations within the cluster by binding newly created service accounts to higher-privilege roles.
– Ultimately assume the `cluster-admin` role, granting unrestricted read/write access to all cluster objects.
This exploit undermines the confidentiality, integrity, and availability of hosted workloads, enabling data theft, service disruption, and full infrastructure takeover.
Affected Products:
– Red Hat OpenShift AI 2.19 (RHEL 8)
– Red Hat OpenShift AI 2.21 (RHEL 9)
– `registry.redhat.io/rhoai/odh-rhel8-operator`
– `registry.redhat.io/rhoai/odh-rhel9-operator`
Impact:
– Privilege escalation
Exploit Prerequisites:
– Valid authenticated user account
– Access to OpenShift AI Service
– Low-privileged account with access to Jupyter notebook or similar interface
– Ability to interact with `batch.kueue.openshift.io` API
Mitigation Strategies:
Red Hat has released fixes in the following errata, updating the OpenShift AI Operator for Red Hat Enterprise Linux 8 and 9:
– RHBA-2025:16984 (OpenShift AI 2.19 on RHEL 8)
– RHBA-2025:16983 (OpenShift AI 2.21 on RHEL 9)
Administrators are urged to apply these updates immediately. As a temporary workaround before patching, the problematic ClusterRoleBinding can be removed:
“`bash
oc delete clusterrolebinding kueue-batch-user-role-binding
“`
Subsequently, grant job-creation permissions explicitly to trusted identities. This approach enforces the Principle of Least Privilege, ensuring only designated users or groups can submit AI jobs.
Red Hat classifies CVE-2025-10725 as Important rather than Critical because the attacker must hold a valid authenticated account, albeit with low privileges. Nonetheless, the impact remains severe. Organizations running Red Hat OpenShift AI should remediate promptly to prevent complete cluster compromise and adhere to hardened RBAC configurations going forward.
