cbcvebase.
CVE-2025-10725
published 2025-09-30

CVE-2025-10725: A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a…

PriorityP264critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.70%
48.4th percentile
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster's confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.

Affected

1 ranges
VendorProductVersion rangeFixed in
opendatahub-ioopendatahub-operator< 3.0.03.0.0

Detection & IOCsextracted from sources · hover to see the quote

  • Overly permissive ClusterRoleBinding named 'kueue-batch-user-rolebinding' grants authenticated users cluster-admin equivalent privileges; audit its existence and subjects on any RHOAI cluster
  • Detect exploitation attempts by monitoring for low-privileged users (e.g., data scientists in Jupyter notebooks) performing cluster-admin-level API calls; correlate with ClusterRoleBinding 'kueue-batch-user-rolebinding' membership
  • Audit the 'kueue-batch-user-rolebinding' ClusterRoleBinding subjects field; if it references a broad or system-authenticated group rather than a non-existent group, the cluster is likely still vulnerable
  • Monitor Kubernetes audit logs for unexpected ClusterRoleBinding or ClusterRole modifications by accounts associated with the 'redhat-ods-operator' namespace or Kueue component, which may indicate post-exploitation persistence
  • ·RHOAI operator will re-create or re-manage 'kueue-batch-user-rolebinding' unless the 'opendatahub.io/managed: false' annotation is explicitly set before patching subjects; mitigation steps must be applied in the correct order
  • ·The substitute group name used in the ClusterRoleBinding subject during mitigation must not exist on the cluster; using an existing group would inadvertently grant the same dangerous permissions to that group

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.9CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.