A critical Remote Code Execution (RCE) vulnerability, known as CVE-2025-27364, has been uncovered in MITRE Caldera, an open-source adversary emulation platform widely used by cybersecurity professionals. This vulnerability poses a severe risk as it could potentially allow malicious actors to execute arbitrary code on the server where Caldera is deployed, ultimately compromising sensitive systems and data.
MITRE Caldera serves as a robust platform for simulating cyberattacks within a controlled environment, particularly focusing on emulating advanced persistent threats (APTs) by deploying agents to carry out various cyber operations. These agents, such as Sandcat and Manx, are instrumental in emulating adversarial tactics by executing commands remotely. The platform utilizes a command-and-control (C2) server API to compile and deploy these agents to target systems.
CVE-2025-27364 specifically targets the dynamic agent compilation functionality in versions 4.2.0 and earlier of MITRE Caldera, affecting the compilation and download process of Sandcat and Manx agents. Exploiting this vulnerability involves manipulating web requests directed at the Caldera server API to execute arbitrary code on the server, which falls under the category of a Remote Code Execution (RCE) vulnerability.
The vulnerability stems from the lack of proper input sanitization in the Caldera server’s dynamic compilation process. Attackers can exploit this flaw by manipulating linker flags, particularly the -extldflags option, used during agent compilation with the gcc tool. By injecting malicious commands through these flags, attackers can potentially execute arbitrary code on the server, posing a significant security risk.
To trigger the vulnerability, attackers interact with the gcc tool during the compilation process and control aspects of execution, such as specifying external linkers and appended flags. This manipulation enables attackers to execute arbitrary binaries under their control, potentially leading to the compromise of the Caldera server process.
The severity of CVE-2025-27364 is underscored by its critical rating and a CVSS score of 10.0, indicating a high level of risk. The widespread availability of the vulnerability across Caldera’s default configurations makes it highly exploitable, especially given the common use of GCC as a dependency. MITRE Caldera has advised users to immediately patch their systems by upgrading to version 5.1.0 or later to mitigate the risk posed by this vulnerability.
If left unaddressed, CVE-2025-27364 could empower attackers to gain full control over Caldera servers, potentially leading to data breaches, backdoor installations, and advanced exploitation. Timely patching and adherence to security best practices are paramount to safeguard against such vulnerabilities and mitigate cyber threats effectively. The swift response of the MITRE Caldera team in addressing this vulnerability underscores the importance of proactive security measures in the face of evolving cyber risks.