Red Hat has disclosed a high-severity security vulnerability in its OpenShift AI platform, a system used for developing and managing artificial intelligence models. The flaw, identified as CVE-2025-10725, could allow an authenticated attacker to gain complete control over an entire cluster, compromising sensitive data and infrastructure.
The vulnerability has received a Common Vulnerability Scoring System (CVSS) score of 9.9 out of 10, indicating a near-maximum level of severity. Despite the high score, Red Hat has categorized the flaw as 'Important' rather than 'Critical' because an attacker must already have valid login credentials to exploit it.
Key Takeaways
- A new vulnerability, CVE-2025-10725, has been found in Red Hat OpenShift AI versions 2.19 and 2.21.
- The flaw has a CVSS score of 9.9, signifying critical potential impact, but requires an attacker to be authenticated.
- Successful exploitation allows a low-privileged user to escalate their permissions to full cluster administrator.
- This could lead to a complete compromise of the platform, including data theft, service disruption, and infrastructure control.
- Red Hat has issued mitigation guidance focused on restricting permissions and applying the principle of least privilege.
Understanding the OpenShift AI Vulnerability
The security flaw is a privilege escalation vulnerability within the Red Hat OpenShift AI platform. This type of flaw allows a user with limited access to gain permissions far beyond their intended level, effectively breaking the security model of the system.
According to Red Hat's advisory, the vulnerability could have severe consequences for organizations that rely on the platform for their AI and machine learning operations. The high CVSS score reflects the potential for complete system compromise.
The Attacker's Path to Compromise
The attack scenario begins with a person who already has legitimate, but low-level, access to the system. This could be a data scientist, a developer, or any user with standard permissions to work within the environment, such as using a Jupyter notebook.
By exploiting CVE-2025-10725, this user can elevate their privileges to that of a full cluster administrator. This level of access grants them unrestricted control over the entire OpenShift AI environment.
"A low-privileged attacker with access to an authenticated account... can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster's confidentiality, integrity, and availability," Red Hat stated in its advisory.
Once an attacker achieves this level of control, they can perform a range of malicious actions. These include stealing sensitive datasets, disrupting AI model training and deployment, and taking over the underlying hardware and software infrastructure.
Authenticated vs. Unauthenticated Exploits
The distinction between an authenticated and unauthenticated exploit is crucial for assessing risk. An unauthenticated vulnerability can be exploited by anyone on the internet without needing to log in. An authenticated vulnerability, like this one, requires the attacker to first have a valid username and password. This makes it an insider threat or a second-stage attack after credentials have been stolen.
Why Red Hat Rates it 'Important' Not 'Critical'
The primary reason for Red Hat's 'Important' severity rating is the authentication requirement. Since an attacker cannot exploit the flaw without first gaining access to an account, the immediate risk from external threats is lower than that of a vulnerability exploitable over the internet by an anonymous party.
However, this does not diminish the potential damage. If an attacker acquires credentials through phishing, a separate data breach, or is a malicious insider, this vulnerability provides a direct path to a complete system takeover.
The Potential Impact on AI Infrastructure
Red Hat OpenShift AI is a comprehensive platform designed to manage the entire lifecycle of artificial intelligence models. It is used by organizations to build, train, and deploy both predictive and generative AI (GenAI) systems across hybrid cloud environments.
The platform handles critical stages of AI development, including data preparation, model fine-tuning, and monitoring performance. A compromise of this system could have far-reaching consequences.
What is Red Hat OpenShift AI?
OpenShift AI is an enterprise-grade platform that provides tools for data scientists and developers. Its functions include data acquisition, model training, model serving, and hardware acceleration management. It is built to operate at scale across different cloud and on-premises infrastructures.
Risks to Confidentiality, Integrity, and Availability
A successful exploit of CVE-2025-10725 threatens the three core pillars of information security:
- Confidentiality: An attacker with administrator access could steal proprietary AI models, sensitive training data (which may include personal or financial information), and other confidential business data.
- Integrity: The attacker could tamper with AI models, alter datasets to skew results, or introduce backdoors into the system. This could lead to incorrect business predictions or biased AI behavior.
- Availability: The attacker could shut down services, delete critical components, or disrupt the entire infrastructure, halting all AI development and deployment operations.
Red Hat's advisory clearly outlines these risks, warning that an attacker can "steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it."
Affected Versions and Mitigation Steps
Red Hat has confirmed that specific versions of its OpenShift AI platform are affected by this vulnerability. Administrators and security teams should immediately check if their deployments are running one of the compromised versions.
List of Affected Versions
According to the official disclosure, the following versions are vulnerable:
- Red Hat OpenShift AI 2.19
- Red Hat OpenShift AI 2.21
- Red Hat OpenShift AI (RHOAI)
Organizations using these versions are urged to review the mitigation guidance provided by Red Hat to reduce their risk of compromise.
Official Recommendations from Red Hat
While a patch is anticipated, Red Hat has provided immediate mitigation strategies to prevent exploitation. The core of the advice is to implement stricter access controls and adhere to the principle of least privilege, which dictates that users should only have the minimum permissions necessary to perform their jobs.
The company specifically recommends that administrators avoid granting broad permissions to system-level groups. A key recommendation is to remove or restrict "the ClusterRoleBinding that associates the kueue-batch-user-role with the system:authenticated group."
"The permission to create jobs should be granted on a more granular, as-needed basis to specific users or groups, adhering to the principle of least privilege," Red Hat added.
By implementing these changes, organizations can limit the ability of a low-privileged user to access the functions needed to escalate their permissions, effectively closing the attack vector until a permanent software fix is available and can be applied.
