CVE-2025-6193 is an OS command injection vulnerability identified in the TrustyAI Explainability toolkit, a component integrated within Red Hat OpenShift AI (RHOAI). The vulnerability arises from improper neutralization of special elements in certain fields of the LMEValJob custom resource (CR). Specifically, when a user with permissions to deploy or modify LMEValJob CRs submits a maliciously crafted resource, arbitrary OS commands can be executed within the LMEValJob pod's terminal environment. This occurs because the input fields are not properly sanitized or escaped before being passed to the underlying operating system shell, allowing injection of unintended commands. The vulnerability requires the attacker to have elevated privileges (PR:H) to deploy CRs and some user interaction (UI:R) to trigger the execution. The CVSS v3.1 base score is 5.9, reflecting a medium severity level with network attack vector (AV:N), low attack complexity (AC:L), and a scope change (S:C) indicating that the impact extends beyond the vulnerable component. The vulnerability affects version 0 of the product, which likely corresponds to initial or early releases of RHOAI. No patches or exploits are currently publicly available, but the risk remains significant due to the potential for arbitrary command execution within containerized environments. This can lead to unauthorized data access, modification, or denial of service within AI workloads running on OpenShift clusters.

For European organizations, this vulnerability poses a risk to the confidentiality, integrity, and availability of AI workloads deployed on Red Hat OpenShift AI platforms. Exploitation could allow malicious insiders or compromised accounts with deployment permissions to execute arbitrary commands, potentially leading to data exfiltration, manipulation of AI explainability results, or disruption of AI services. Given the increasing adoption of AI and container orchestration platforms in Europe, particularly in sectors like finance, healthcare, and manufacturing, the impact could be significant. Additionally, the scope change in the CVSS score indicates that the attack could affect other components beyond the vulnerable pod, potentially compromising the broader OpenShift environment. Organizations relying on TrustyAI for explainability in AI models must be vigilant, as manipulation of explainability outputs could undermine trust and compliance with AI regulations such as the EU AI Act. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability details are widely known.

1. Restrict permissions to deploy or modify LMEValJob custom resources to only trusted and essential users or service accounts. Implement the principle of least privilege rigorously within OpenShift RBAC policies. 2. Monitor and audit creation and modification of LMEValJob CRs to detect anomalous or unauthorized activity. 3. Apply input validation and sanitization controls where possible, including custom admission controllers or validating webhooks that reject suspicious LMEValJob resource definitions. 4. Stay updated with Red Hat advisories and apply patches or updates to RHOAI and TrustyAI components as soon as they become available. 5. Employ runtime security tools that can detect and block suspicious command execution within pods, such as container security platforms with behavioral analysis. 6. Segment AI workloads and limit network access to reduce lateral movement if exploitation occurs. 7. Educate developers and operators about the risks of deploying untrusted custom resources and enforce secure development lifecycle practices for AI workloads.