Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Home
CISA alert: Exploit underway against VMware vCenter. Risk of RCE without authentication.-AGI: Google and Anthropic CEOs sound the alarm at Davos – the world won’t be ready!-A working browser built with AI using 3 million lines of code: breakthrough or illusion?-NoName057(16) hits Italy 487 times in the last 3 months: the DDoS wave does not stop-NexPhone: Three operating systems in your pocket! The phone that challenges the very concept of a PC.-CISA alert: Exploit underway against VMware vCenter. Risk of RCE without authentication.-AGI: Google and Anthropic CEOs sound the alarm at Davos – the world won’t be ready!-A working browser built with AI using 3 million lines of code: breakthrough or illusion?-NoName057(16) hits Italy 487 times in the last 3 months: the DDoS wave does not stop-NexPhone: Three operating systems in your pocket! The phone that challenges the very concept of a PC.
Fortinet 320x100px
LECS 970x120 1
Critical Red Hat OpenShift GitOps Vulnerability Exposed

Critical Red Hat OpenShift GitOps Vulnerability Exposed

16 December 2025 07:15

A critical flaw has been discovered in Red Hat OpenShift GitOps, putting Kubernetes clusters at risk by allowing users with reduced permissions to gain full control of them. OpenShift GitOps is designed to automate deployments using Git as the single source. However, researchers found that the permissions model for creating ArgoCD CRs is too permissive.

“If you can create CR ArgoCD, you can essentially take over the entire cluster,” the vulnerability report states. This vulnerability, classified as CVE-2025-13888 and assigned a severity score of 9.1, classified as critical, allows administrators of a specific namespace to manipulate the system to gain root access to the entire cluster.

The consequences are:

  • Privilege Grant: The operator creates a RoleBinding that binds the attacker’s ArgoCD instance to the target namespace.
  • Privileged workloads: By targeting a namespace with a privileged security context constraint (SCC), such as default, the attacker gains the ability to run privileged work.
  • Cluster Takeover: Work can also be run on the master nodes, so essentially I have root access to the master nodes and can take complete control of the cluster without any issues.

The vulnerability lies in the way the GitOps operator handles ArgoCD custom resources (CRs), effectively turning a standard administrative feature into a privilege escalation weapon.

The attack vector works by manipulating the sourceNamespaces field within an ArgoCD CR. A namespace administrator, typically limited to managing their own isolated portion of the cluster, can define a target namespace (even a privileged default) in this field.

Administrators are strongly advised to verify OpenShift GitOps operator versions and apply the latest security patches immediately. Restricting the ability to create custom ArgoCD resources to trusted cluster administrators can also serve as a temporary mitigation.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Massimiliano Brolli 300x300
Responsible for the RED Team of a large Telecommunications company and 4G/5G cyber security labs. He has held managerial positions ranging from ICT Risk Management to software engineering to teaching in university master's programs.
Areas of Expertise: Bug Hunting, Red Team, Cyber Intelligence & Threat Analysis, Disclosure, Cyber Warfare and Geopolitics, Ethical Hacking