HACKERS IN YOUR MODEL PIPELINE: Severe OpenShift AI Flaw (CVE-2025-10725) Actively Exploited in the Wild    

Chapter 1: The Threat is Now Live — What "Actively Exploited" Means

In our **initial report on CVE-2025-10725**, we warned of a critical privilege escalation vulnerability in Red Hat OpenShift AI. That theoretical risk is now a clear and present danger. Threat intelligence sources have confirmed that multiple threat actors have reverse-engineered the vulnerability and are now actively exploiting it in the wild. This is no longer a "patch when you can" situation; it is a "patch now or expect to be breached" emergency. Any unpatched, exposed OpenShift AI instance must be considered a prime target.

Chapter 2: The Current Campaign — How Attackers Are Weaponizing Model Pipelines

The attackers are exploiting the flaw exactly as predicted. The campaign follows a simple but devastating kill chain.

1. **Initial Access:** The attackers gain a foothold in the target environment by compromising a low-privileged account, typically a data scientist's credentials obtained via phishing or password spraying.
2. **The Weaponized "Model":** The attacker logs into the OpenShift AI platform as the compromised user. They then submit a new "model" for deployment. This model does no actual machine learning; its manifest (`.yaml` file) is simply a carrier for the malicious payload: a `ClusterRoleBinding` that grants the attacker's account the all-powerful `cluster-admin` role.
3. **Privilege Escalation:** The vulnerable OpenShift AI controller applies the manifest, and the attacker is instantly promoted to a full cluster administrator.
4. **Impact:** With `cluster-admin` rights, the attackers have been observed deploying cryptocurrency mining pods across the cluster and installing persistent backdoors to maintain long-term access for future data theft or disruptive attacks.

Chapter 3: The Defender's Playbook — Emergency Patching & Hunting for Compromise

Your response must be immediate and two-fold: patch and hunt.

Step 1: PATCH IMMEDIATELY

Red Hat has released an emergency patch for the OpenShift AI operator. You must apply this update via the OpenShift OperatorHub without delay. This is the only way to fix the vulnerability.

Step 2: HUNT FOR COMPROMISE (Assume Breach)

You must assume you were compromised before patching. The evidence of a successful exploit is in your cluster's RBAC configuration.
The Golden Query: Log in to your cluster's command line and run:

oc get clusterrolebinding -o wide

Scrutinize the output. Look for any unexpected users or service accounts (especially non-administrator accounts) that have been bound to the `cluster-admin` role. If you find one, you have been breached and must immediately trigger your full incident response plan.

Additionally, check your API server audit logs for any unusual `CREATE` events for `ClusterRoleBinding` objects, particularly any that were initiated by the OpenShift AI service account.

Chapter 4: The Strategic Response — Assuming Breach in Your MLOps Environment

This incident is a critical lesson for the emerging field of MLOps security. The model development pipeline is now a direct target. A security strategy that trusts internal users (like data scientists) implicitly is a failed strategy.

A resilient defense for your AI/ML platform must be built on Zero Trust principles:

• **Least Privilege:** Data scientists should only have the permissions needed to do their job, in their own isolated namespaces.
• **Policy-as-Code:** Implement admission controllers (like OPA/Gatekeeper) to create preventative guardrails. A policy could be written to completely block any workload from creating a `ClusterRoleBinding`, stopping this attack before it can even be attempted.
• **Runtime Security:** You must have runtime visibility into your cluster. A **Cloud Native Security Platform (CNSP)** is essential for detecting the post-exploitation activity, such as a new pod spawning a cryptominer or making an unusual network connection.