CVE-2025-2843 is a critical privilege escalation vulnerability identified in the rhobs observability-operator, a Kubernetes operator designed to facilitate observability through custom resources. The root cause is an incorrect privilege assignment: when a Namespace-scoped Custom Resource named MonitorStack is deployed, the operator creates a ServiceAccount bound to a ClusterRole, granting it cluster-wide permissions. This is a misconfiguration because the MonitorStack resource is intended to be namespace-scoped, yet the ServiceAccount it creates inherits cluster-level privileges. An adversarial Kubernetes account with only namespace-level roles—such as a tenant restricted to a specific namespace—can exploit this by creating a MonitorStack resource in their authorized namespace. Upon creation, the operator generates the privileged ServiceAccount, which the attacker can then impersonate. This impersonation allows the attacker to escalate their privileges from namespace-level to cluster-level, bypassing Kubernetes Role-Based Access Control (RBAC) restrictions. The vulnerability impacts confidentiality, integrity, and availability by enabling unauthorized access to cluster-wide resources, potentially allowing attackers to read sensitive data, modify cluster configurations, or disrupt cluster operations. The CVSS v3.1 score is 8.8 (high), reflecting the network attack vector, low attack complexity, and no user interaction required. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to Kubernetes clusters using the rhobs observability-operator, especially in multi-tenant environments. The affected versions are listed as '0', indicating initial or early versions of the operator. The vulnerability was published on November 12, 2025, with Red Hat as the assigner. No official patches or mitigations are linked yet, emphasizing the need for immediate attention from administrators.

The impact of CVE-2025-2843 is substantial for organizations running Kubernetes clusters with the rhobs observability-operator. By exploiting this vulnerability, an attacker with limited namespace-level permissions can escalate to cluster-level privileges, effectively gaining control over the entire Kubernetes cluster. This can lead to unauthorized access to sensitive data, modification or deletion of critical resources, deployment of malicious workloads, and disruption of cluster services. In multi-tenant Kubernetes environments, this flaw undermines tenant isolation, allowing a compromised tenant to affect other tenants or the cluster infrastructure. The breach of confidentiality, integrity, and availability can result in data leaks, service outages, and potential lateral movement within the infrastructure. Given the widespread adoption of Kubernetes in cloud-native deployments, this vulnerability could affect cloud service providers, enterprises, and managed Kubernetes platforms, increasing the risk of large-scale compromise and operational impact.

To mitigate CVE-2025-2843, organizations should take the following specific actions: 1) Immediately audit and restrict the creation of MonitorStack custom resources to trusted users or service accounts only, minimizing the attack surface. 2) Implement strict RBAC policies that prevent namespace-level users from creating or modifying resources that result in cluster-level privilege assignments. 3) Disable or remove the rhobs observability-operator if it is not essential or if no patched version is available. 4) Monitor Kubernetes audit logs for suspicious creation of MonitorStack resources or ServiceAccount impersonation attempts. 5) Use Kubernetes Pod Security Policies or OPA Gatekeeper policies to enforce least privilege and prevent ServiceAccount impersonation. 6) Stay updated with vendor advisories and apply patches or updated operator versions as soon as they are released. 7) Consider network segmentation and zero-trust principles within the cluster to limit the impact of any potential compromise. 8) Employ runtime security tools that detect anomalous privilege escalations or unusual API server requests related to ServiceAccount tokens. These targeted mitigations go beyond generic advice by focusing on controlling the specific resource and privilege escalation vector involved.