MITRE Caldera cyber security platform users are being warned to patch a critical vulnerability (CVE-2025–27364) that could potentially allow remote code execution by unauthenticated attackers. The vulnerability, affecting all versions of MITRE Caldera up to 4.2.0 and 5.0.0, was identified and reported by Dawid Kulikowski, a contributor to the project who also assisted in developing a patch for it.
The vulnerability is centered around the dynamic compilation functionality of the Caldera Manx and Sandcat agents (implants). This flaw enables remote attackers to execute arbitrary code on the server where Caldera is deployed by sending a malicious HTTPS request to the Caldera server API responsible for compiling and retrieving the specified agents.
To successfully exploit the vulnerability, certain conditions must be met. The system hosting the Caldera server must have Go(Lang), Python, and GNU Compiler Collection (GCC) installed. However, these dependencies are typically essential for the proper functioning of Caldera. The presence of GCC as a dependency of Go on many distributions also increases the likelihood of this vulnerability being accessible to attackers.
The MITRE Caldera team has taken action to address the issue by releasing a fix in version 5.1.0. Additionally, Kulikowski will be releasing a Metasploit module targeting the vulnerability in the coming weeks. As a precautionary measure, users are advised to promptly update their instances to the latest version or restrict access to them from the internet.
Despite modifying the proof-of-exploit (PoC) code to prevent misuse by inexperienced individuals, more experienced exploit developers can potentially adapt it by scrutinizing Caldera’s source code. This underlines the importance of swift mitigation to prevent the exploitation of CVE-2025–27364.
In conclusion, cybersecurity professionals utilizing MITRE Caldera should prioritize applying the necessary patch to mitigate the remote code execution vulnerability. Stay informed and vigilant to protect your systems and data from potential threats.