CVE-2025-27364, a vital Distant Code Execution (RCE) flaw has been found in MITRE Caldera, an open-source adversary emulation platform utilized by safety professionals. This flaw may enable attackers to execute arbitrary code on the server operating Caldera, resulting in the compromise of delicate methods.
MITRE Caldera is a robust open-source platform designed for simulating cyberattacks in a managed surroundings. Its core performance revolves round emulating superior persistent threats (APTs) by deploying brokers, or implants, to hold out operations akin to reconnaissance, exploitation, and post-exploitation actions.
These brokers, together with Sandcat and Manx, are used to simulate adversarial ways by executing instructions remotely. The Caldera platform supplies a command-and-control (C2) server API that handles requests to compile and deploy these brokers to focus on methods.
What’s CVE-2025-27364?
CVE-2025-27364 is the vulnerability in MITRE Caldera’s dynamic agent compilation performance, current in variations 4.2.0 and earlier (as much as commit 35bc06e) of the platform. This flaw particularly impacts the method by which Caldera compiles and downloads its Sandcat or Manx brokers.
Within the absence of correct enter sanitization, attackers can manipulate this course of to execute arbitrary code on the server by way of specifically crafted internet requests directed on the Caldera server API. Such a assault is classed as a Remote Code Execution (RCE) vulnerability.
The Technical Breakdown of CVE-2025-27364
The vulnerability stems from the Caldera server’s use of dynamic compilation for its Sandcat and Manx brokers. These brokers are small reverse shells designed to speak with the Caldera server, finishing up duties as assigned throughout a simulated cyberattack operation. The compilation endpoint, which is a vital a part of the Caldera platform, is especially prone as a result of it lacks correct authentication mechanisms. This absence of authentication permits unauthorized actors to use the system while not having any legitimate credentials.
The core of the issue lies in the Caldera server’s handling of certain linker flags, specifically the -extldflags option, used when compiling agents. These linker flags are passed to the gcc (GNU Compiler Collection) tool, which processes them during the agent compilation process. By manipulating these flags, attackers can inject malicious commands into the compilation process, potentially leading to the execution of arbitrary code on the server.
How Vulnerability Works?
To better understand how this vulnerability works, it’s essential to trace the execution flow within Caldera’s codebase. According to MITRE Caldera Medium put up by Dawid Kulikowski, when an attacker submits a crafted request to the Caldera server API, the server processes this request to compile the specified agent. One of many steps on this course of includes passing user-controlled data (the agent parameters) to a perform answerable for compiling the agent on the fly.
Particularly, the vulnerability is triggered by the interplay with the gcc instrument throughout compilation. Through the use of the -extldflags linker flag, an attacker can management sure execution features, akin to specifying which exterior linker to make use of and the flags which are appended to the invocation. These actions could be exploited to execute arbitrary binaries, like Python or Bash scripts, beneath the management of the attacker.
Whereas a easy command injection won’t be instantly potential because of the approach subprocess calls are structured in Caldera, attackers can nonetheless exploit the vulnerability by controlling the parameters handed to the linker. This makes it potential for an attacker to execute arbitrary binaries with the permissions of the Caldera server course of, which might be disastrous if the server is operating with elevated privileges.
Severity and Danger Evaluation
The vulnerability has been assigned a vital severity score by the MITRE Caldera staff, with a CVSS (Frequent Vulnerability Scoring System) rating of 10.0, indicating a excessive stage of danger. The severity of this vulnerability is exacerbated by its widespread availability; any default configuration of Caldera, with the required dependencies (Go, Python, and GCC), is weak to exploitation. Since GCC is a standard dependency on many methods, together with these operating Caldera, this makes the vulnerability extremely more likely to be exploitable.
The MITRE Caldera staff has urged all customers to patch their methods instantly by upgrading to model 5.1.0 or later, as these variations comprise fixes for the vulnerability. As all the time, the MITRE Caldera staff has emphasised the significance of securing such instruments and recommends that customers don’t expose Caldera cases to the internet except completely mandatory.
Impression and Exploitation
If left unpatched, CVE-2025-27364 may have severe penalties. An attacker who efficiently exploits this vulnerability may acquire full management over the Caldera server, probably compromising sensitive data or utilizing the server as a launchpad for additional assaults on the community. The attacker may execute arbitrary code, set up backdoors, or deploy further brokers that might be used for extra superior exploitation.
The vulnerability’s distant nature additionally signifies that attackers don’t want direct entry to the inner community, making it simpler for them to use weak cases uncovered to the web. This will increase the assault floor and makes well timed patching much more essential.
Conclusion
In response to CVE-2025-27364, the MITRE Caldera staff acted shortly to patch the vulnerability, incorporating modifications to sanitize user-controlled information and stop malicious exploitation by way of linker flags. In addition they acknowledged the contribution of Dawid Kulikowski, who reported the difficulty and supported the patching course of
Customers are urged to improve to model 5.1.0 or later and to keep away from exposing Caldera cases to the web except mandatory. This incident highlights the dangers related to open-source safety instruments like MITRE Caldera, highlighting the significance of enter validation and security best practices to guard towards cyber threats.
