A serious vulnerability was discovered in the Red Hat OpenShift Service for AWS ROSA Classic Clusters. An unauthenticated attacker could take full ownership of any cluster, gaining cluster-admin privileges and access to the victim’s AWS account. The flaw was traced back to an API endpoint for cluster transfers, which correctly verified the recipient's ability to accept a transfer but failed to check if the requester actually owned the cluster. This oversight allowed an attacker to initiate a transfer by simply knowing the cluster UUID and the owner's username. Research into the ROSA API revealed that unauthenticated requests could expose both the cluster UUID and the owner's email address. With predictable ROSA console domains and SSL certificates, attackers could easily discover targets. The attacker streamlined the exploitation process by guessing usernames associated with email addresses. Once the attacker had the necessary information, they used a script to initiate a transfer request, which, upon acceptance, resulted in the attacker gaining control of the cluster. Once in control, the attacker leveraged the cluster's permissions to access the underlying AWS infrastructure. They created a Service Account token to assume the IAM role associated with the OpenShift Machine API, allowing significant actions like creating EC2 instances and accessing IAM credentials. The impact of this vulnerability was severe, enabling unauthorized disruptions, data theft, and financial exploitation. Although the attack could be detected if the victim noticed the transfer email, the window for intervention was limited, typically 24 hours. The vulnerability was reported to Red Hat in November 2025, and the company responded promptly with a patch.