Red Hat, an IBM subsidiary, warned in a security alert published earlier this week that a high-severity vulnerability in its OpenShift AI service, tracked as CVE-2025-10725 and scored 9.9 by CVSS, could allow a remote attacker with minimal authentication to steal data, disrupt services and fully hijack a cluster.
The vendor said a low-privileged attacker with an authenticated account – for example a data scientist using a standard Jupyter notebook – can escalate privileges to become a full cluster administrator, enabling what Red Hat described as a complete compromise of the cluster’s confidentiality, integrity and availability. The National Vulnerability Database lists the bug with a critical-severity rating, but Red Hat characterized the issue as “important” because it requires some level of authentication.
Red Hat advised administrators to mitigate the flaw by removing the ClusterRoleBinding that links the kueue-batch-user-role ClusterRole with the system:authenticated group and to grant job-creation permissions on a more granular, as-needed basis to specific users or groups, following the principle of least privilege. The vendor also recommended avoiding broad permissions for system-level groups.
A Bugzilla flaw-tracking report said the vulnerable ClusterRole is incorrectly bound to the system:authenticated group, which permits any authenticated entity to create OpenShift Jobs in any namespace. The report says an attacker could schedule a job in a privileged namespace, run it with a high-privilege ServiceAccount, exfiltrate that ServiceAccount token and progressively pivot to compromise more powerful accounts and cluster master nodes.
Security experts quoted in the article urged administrators to treat the vulnerability as urgent and to conduct incident-response checks to determine whether clusters were already compromised. Trey Ford, chief strategy and trust officer at crowdsourced security company Bugcrow, said in an email to the publication that organisations should “assume breach” and verify both that patches have been applied and whether an environment has been compromised. Red Hat did not immediately respond to inquiries about whether the CVE has been exploited.