CVE-2025-27364: Remote Code Execution Vulnerability Found in MITRE Caldera Server

CVE-2025-27364 is a critical Remote Code Execution (RCE) vulnerability recently discovered in MITRE Caldera, a popular cyber operations platform. The platform is widely used by cybersecurity professionals for generating and deploying agents (implants) that help exploit security weaknesses and assess the resilience of systems in a controlled environment.

This vulnerability has been found to affect versions 4.2. and 5.. of MITRE Caldera before 35bc06e. This post will delve into the specifics of CVE-2025-27364, discuss its implications, and provide links to the original references.

Exploit Details

The vulnerability in question lies in the implementation of the dynamic agent (implant) compilation functionality within the Caldera server. This allows remote attackers to execute arbitrary code on the server where Caldera is running by sending a specially crafted web request to the server API used for compiling and downloading the Sandcat or Manx agents (implants).

The attacker can exploit this vulnerability by using the gcc -extldflags linker flag with sub-commands in their web request. The following code snipplet illustrates the potential attack:

$ curl -X POST "https://[CALDERA_SERVER]/plugin/sandcat/download"; -d "platform=linux&server=[CALDERA_SERVER_FOR_AGENT]&extension=list_files&selected[]=-extldflags='-plugin,./evilModule.so'"

In this example, the attacker uses curl to send a POST request to the Caldera server, attempting to download a Sandcat agent. The -extldflags flag is incorporated with a sub-command to load an arbitrary (potentially malicious) shared object, evilModule.so.

Upon successful exploitation, the vulnerable Caldera server is forced to execute arbitrary code embedded in the provided module or shared object.

Original References

- MITRE Caldera GitHub Repository
- MITRE CVE Page for CVE-2025-27364
- Commit 35bc06e - Security Fix for CVE-2025-27364

Mitigation

The developers of MITRE Caldera have addressed this vulnerability in commit 35bc06e. All users of Caldera versions 4.2. and 5.. are urged to update their instances to a patched version immediately. Regular software updates and security audits of the Caldera server can help identify and mitigate any potential exploits moving forward.

Conclusion

CVE-2025-27364 is a significant vulnerability present in MITRE Caldera, which emphasizes the importance of continuous security updates and monitoring. Since Caldera is a popular cybersecurity platform, it is crucial for its users to keep their systems up to date and regularly review the security of their installation. This should serve as a vital reminder to organizations that even the tools they use for securing their environments need to be carefully assessed and protected from vulnerabilities.

Timeline

Published on: 02/24/2025 19:15:14 UTC
Last modified on: 02/24/2025 20:15:34 UTC