CVE-2025-10725
published 2025-09-30CVE-2025-10725: A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a…
PriorityP264critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.70%
48.4th percentile
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster's confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opendatahub-io | opendatahub-operator | < 3.0.0 | 3.0.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Overly permissive ClusterRoleBinding named 'kueue-batch-user-rolebinding' grants authenticated users cluster-admin equivalent privileges; audit its existence and subjects on any RHOAI cluster ↗
- →Detect exploitation attempts by monitoring for low-privileged users (e.g., data scientists in Jupyter notebooks) performing cluster-admin-level API calls; correlate with ClusterRoleBinding 'kueue-batch-user-rolebinding' membership ↗
- →Audit the 'kueue-batch-user-rolebinding' ClusterRoleBinding subjects field; if it references a broad or system-authenticated group rather than a non-existent group, the cluster is likely still vulnerable ↗
- →Monitor Kubernetes audit logs for unexpected ClusterRoleBinding or ClusterRole modifications by accounts associated with the 'redhat-ods-operator' namespace or Kueue component, which may indicate post-exploitation persistence ↗
- ·RHOAI operator will re-create or re-manage 'kueue-batch-user-rolebinding' unless the 'opendatahub.io/managed: false' annotation is explicitly set before patching subjects; mitigation steps must be applied in the correct order ↗
- ·The substitute group name used in the ClusterRoleBinding subject during mitigation must not exist on the cluster; using an existing group would inadvertently grant the same dangerous permissions to that group ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.9CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
openshift-ai: Overly Permissive ClusterRole Allows Authenticated Users to Escalate Privileges to Cluster Admin
vendor_redhat·2025-09-29·CVSS 9.9
CVE-2025-10725 [CRITICAL] CWE-266 openshift-ai: Overly Permissive ClusterRole Allows Authenticated Users to Escalate Privileges to Cluster Admin
openshift-ai: Overly Permissive ClusterRole Allows Authenticated Users to Escalate Privileges to Cluster Admin
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster's confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist
GHSA
GHSA-g829-2387-h324: A flaw was found in Red Hat Openshift AI Service
ghsa_unreviewed·2025-09-30
CVE-2025-10725 [CRITICAL] CWE-266 GHSA-g829-2387-h324: A flaw was found in Red Hat Openshift AI Service
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster's confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://access.redhat.com/errata/RHSA-2025:16981https://access.redhat.com/errata/RHSA-2025:16982https://access.redhat.com/errata/RHSA-2025:16983https://access.redhat.com/errata/RHSA-2025:16984https://access.redhat.com/errata/RHSA-2025:17501https://access.redhat.com/security/cve/CVE-2025-10725https://bugzilla.redhat.com/show_bug.cgi?id=2396641https://github.com/opendatahub-io/opendatahub-operator/commit/070057ebd0882be0e397bee1daa18c36374a03c0https://github.com/opendatahub-io/opendatahub-operator/pull/2571
2025-09-30
Published