A newly disclosed security flaw in Red Hat Open Shift AI could allow attackers to escalate privileges and seize control of entire infrastructures – albeit under specific conditions. Tracked as CVE-2025-10725, the vulnerability carries a CVSS score of 9.9 out of 10, falling just short of the maximum severity rating.
Red Hat has classified the bug as “Important” rather than “Critical”, citing the requirement for attackers to already possess authenticated access before exploitation.
What is OpenShift AI?
OpenShift AI is Red Hat’s platform for managing predictive and generative AI models across hybrid cloud environments. It handles tasks including data acquisition, preparation, training, fine-tuning, serving, monitoring, and hardware acceleration.
Inside CVE-2025-10725
According to Red Hat’s disclosure, a low-privileged attacker with access to an authenticated account – for example, a data scientist running a standard Jupyter notebook could escalate privileges to a full cluster administrator.
This escalation enables a complete compromise of the cluster’s confidentiality, integrity, and availability. Attackers could exfiltrate sensitive data, disrupt hosted services, and seize control of the underlying infrastructure. In short, a single compromised account could lead to the total breach of the platform and all applications hosted on it.
How Should You Respond to CVE-2025-10725? Experts Weigh In
Attack Surface Expanded by Jupyter Notebooks
Security professionals point to the accessibility of Jupyter notebooks – open-source tools that let users run code, analyze data, and document results in an interactive, web-based environment – as a particularly concerning attack vector.
“The example attack vector mentioned in the bug filing alone justifies its criticality. Jupyter notebooks are widely used in academic and commercial R&D activities, and MFA is rarely used. Coupled with the abundant availability of stolen usernames and passwords, they are an easy target for attackers,” said Mr. Agnidipta Sarkar, Chief Evangelist at ColorTokens.
Starker warned that beyond cluster takeover, attackers could launch malicious pods to establish command-and-control, conduct reconaissance, and move laterally into vulnerable systems. He urged security teams to audit infrastructure for OpenShift AI deployments and apply mitigations without delay.
Defense-in-Depth is Essential
Shane Barney, CISO at Keeper Security, emphasises the importance of layered defenses for mitigating the risks associated with CVE-2025-1072.
“While Red Hat classifies the flaw as ‘Important’ because it requires an authenticated account, the reality is that even low-privileged access can be weaponized to cause significant damage when privilege escalation is possible,” he said.
He advises security teams to:
- Remove overly broad role bindings
- Apply vendor patches immediately
- Validate permissions against the principle of least privilege
- Deploy Privileged Access Management (PAM) tools for visibility and control.
“Every account is a potential entry point,” he said. “By layering controls, including strong authentication, continuous monitoring, PAM and least privilege, organizations can dramatically reduce the blast radius of privilege escalation attacks like this one.”
Assume Breach and Act with Purpose
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, argues that organizations should treat CVE-2025-1072 as a patching priority but also as an incident response matter.
“Ignoring the CVSS 9.9 fanfare – vulnerabilities offering a path for a low-privileged user to fully take over an environment needs to be patched in the form of an incident response cycle, seeking to prove that the environment was not already compromised. (Assume breach),” he said.
Ford stresses that the impact varies with organizational size:
- Smaller teams may blur the line between low-privileged and admin-level accounts.
- Larger enterprises face the more troubling scenario of privilege escalation leading to root access on cluster master nodes and, ultimately, total control.
He added that administrators must move with urgency to apply patches, while security teams must move with purpose to ensure environments are updated and investigated for signs of compromise.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.