CVE-2025-27364 Overview
A critical Remote Code Execution (RCE) vulnerability has been identified in MITRE Caldera, an open-source adversary emulation platform widely used by security teams for red team exercises and adversary simulation. The vulnerability exists in the dynamic agent (implant) compilation functionality of the Caldera server, allowing unauthenticated remote attackers to execute arbitrary code on the server by exploiting the agent build process through malicious web requests.
The flaw specifically targets the API endpoints responsible for compiling and downloading Caldera's Sandcat or Manx agents. Attackers can abuse the gcc -extldflags linker flag to inject sub-commands, enabling arbitrary command execution on the underlying server. This represents a severe supply-chain risk for organizations using Caldera in their security testing infrastructure.
Critical Impact
Unauthenticated attackers can achieve full remote code execution on Caldera servers, potentially compromising red team infrastructure and gaining access to sensitive security testing environments.
Affected Products
- MITRE Caldera versions through 4.2.0
- MITRE Caldera version 5.0.0 (before commit 35bc06e)
- All installations with agent compilation functionality enabled
Discovery Timeline
- 2025-02-24 - CVE-2025-27364 published to NVD
- 2025-02-24 - Last updated in NVD database
Technical Details for CVE-2025-27364
Vulnerability Analysis
This vulnerability is classified as CWE-78 (OS Command Injection), where user-controllable input is passed unsafely to an operating system command. The Caldera server exposes API endpoints that allow users to request dynamically compiled agent binaries (Sandcat for Go-based agents and Manx for reverse shell agents). The compilation process uses the GNU Compiler Collection (gcc) to build these agents with user-specified parameters.
The critical flaw lies in the insufficient sanitization of user-supplied parameters before they are passed to the gcc compiler. Specifically, the -extldflags option (extended linker flags) accepts arguments that can include shell command substitution syntax. When a malicious payload is crafted within this parameter, the shell interprets embedded commands during the compilation process, leading to arbitrary code execution with the privileges of the Caldera server process.
Organizations using Caldera as part of their security testing infrastructure face significant risk, as compromising the Caldera server could provide attackers with access to adversary emulation playbooks, network reconnaissance data, and potentially pivot points into production environments.
Root Cause
The root cause of this vulnerability is improper input validation and sanitization of user-supplied parameters passed to the agent compilation functionality. The server fails to properly validate or escape special characters in linker flag arguments before incorporating them into gcc command strings executed via shell invocation. This allows command injection through shell metacharacters and command substitution syntax embedded in the -extldflags parameter.
Attack Vector
The attack is network-based and can be executed without authentication. An attacker sends a specially crafted HTTP request to the Caldera server's agent compilation API endpoint. The request includes malicious linker flags containing embedded shell commands using command substitution syntax (e.g., $(malicious_command) or backtick notation).
When the server processes this request and invokes gcc with the attacker-controlled flags, the embedded commands are executed by the shell. This allows the attacker to:
- Execute arbitrary system commands on the Caldera server
- Establish reverse shells for persistent access
- Exfiltrate sensitive data from the security testing environment
- Modify or poison agent binaries for supply-chain attacks
- Pivot to other systems accessible from the Caldera server
The vulnerability can be exploited through crafted web requests to the /api/v2/agents/ or similar compilation endpoints, injecting commands through the gcc -extldflags linker option with sub-commands.
Detection Methods for CVE-2025-27364
Indicators of Compromise
- Unusual HTTP requests to Caldera agent compilation API endpoints containing -extldflags or unusual linker parameters
- Unexpected child processes spawned by the Caldera server process or gcc compiler processes
- Network connections initiated by the Caldera server to unexpected external destinations
- Suspicious gcc command invocations containing shell metacharacters or command substitution syntax in server logs
Detection Strategies
- Monitor Caldera server logs for API requests to agent compilation endpoints with suspicious parameters containing shell metacharacters ($(), backticks, semicolons, pipes)
- Implement process monitoring to detect unexpected child processes spawned by the Caldera service or gcc processes
- Deploy network monitoring rules to alert on outbound connections from Caldera servers to unusual destinations
- Use file integrity monitoring on Caldera installation directories to detect unauthorized modifications
Monitoring Recommendations
- Enable verbose logging on Caldera server API endpoints and review compilation request parameters regularly
- Configure SIEM rules to correlate Caldera API access with process creation events on the host
- Implement egress filtering and monitoring for Caldera server hosts to detect potential reverse shell connections
- Establish baseline behavior for Caldera server processes and alert on deviations
How to Mitigate CVE-2025-27364
Immediate Actions Required
- Update MITRE Caldera to version 5.0.0 with commit 35bc06e or later immediately
- If immediate patching is not possible, restrict network access to Caldera servers to trusted IP addresses only
- Review Caldera server logs for evidence of exploitation attempts targeting agent compilation endpoints
- Implement web application firewall rules to block requests containing suspicious linker flag patterns
Patch Information
MITRE has addressed this vulnerability in commit 35bc06e42e19fe7efbc008999b9f993b1b7109c0. Organizations should update to the patched version immediately. The fix implements proper input validation and sanitization of user-supplied parameters before they are passed to the compilation process.
For detailed patch information, refer to:
Workarounds
- Disable dynamic agent compilation functionality if not required for operations
- Place Caldera servers behind a reverse proxy with strict input validation rules blocking shell metacharacters in API parameters
- Restrict access to agent compilation endpoints to authenticated and authorized users only via network segmentation
- Run Caldera in a containerized environment with restricted capabilities and network egress controls
# Example: Restrict network access to Caldera server using iptables
# Allow only trusted management IP ranges
iptables -A INPUT -p tcp --dport 8888 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8888 -j DROP
# Alternative: Disable agent compilation by restricting plugin access
# Review and modify caldera/conf/local.yml to limit exposed functionality
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
