Introduction
A low-privileged data scientist can become a cluster administrator in Red Hat OpenShift AI Service, leading to full control over all workloads and data. This privilege escalation flaw (CVE-2025-10725, CVSS 9.9) enables attackers to compromise the confidentiality, integrity, and availability of the entire AI platform and its hosted applications.
About Red Hat OpenShift AI: Red Hat OpenShift AI is an enterprise-grade platform for building, deploying, and managing AI and machine learning workloads at scale. It is built on Kubernetes and integrates tools like Jupyter notebooks for data scientists. Red Hat is a leading vendor in the enterprise Linux and container orchestration space, with OpenShift AI serving organizations globally for critical AI/ML operations.
Technical Information
CVE-2025-10725 is rooted in incorrect privilege assignment (CWE-266) within the Red Hat OpenShift AI Service's RBAC (role-based access control) implementation. The flaw allows an authenticated user with low privileges (such as a data scientist using a standard Jupyter notebook) to escalate their privileges to full cluster administrator.
The attack vector leverages the Jupyter notebook environment, which provides interactive access to the underlying Kubernetes cluster. Due to misconfigured or overly permissive RBAC rules, service account tokens, or role bindings, a user can exploit the flaw to gain cluster-admin rights. This enables:
- Access to all cluster resources and secrets
- Modification or deletion of workloads
- Exfiltration of sensitive data
- Disruption of services and infrastructure
No public code snippets or proof-of-concept exploitation details are available. The root cause is a failure in enforcing strict privilege boundaries between user roles within the OpenShift AI platform, specifically in how RBAC is implemented for notebook and service account access.
Affected Systems and Versions
- Product: Red Hat OpenShift AI Service
- Specific affected versions: Not disclosed in public advisories as of 2025-09-30
- Vulnerable configurations: Any deployment where data scientists or other low-privileged users have access to Jupyter notebook environments and default RBAC settings
Vendor Security History
Red Hat has previously addressed privilege escalation vulnerabilities in OpenShift, notably CVE-2018-1002105, which allowed users to gain cluster-admin privileges via API server flaws. The vendor is known for coordinated security advisories and timely patches, with a mature vulnerability disclosure process. The open source nature of OpenShift AI increases transparency but also exposes complex integrations to potential misconfigurations.