CVE-2025-27364
📋 TL;DR
This CVE describes a critical Remote Code Execution vulnerability in MITRE Caldera's agent compilation functionality. Attackers can execute arbitrary code on the Caldera server by sending crafted web requests to the API endpoint used for compiling Sandcat or Manx agents. All Caldera servers running vulnerable versions are affected.
💻 Affected Systems
- MITRE Caldera
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Caldera server, allowing attackers to execute arbitrary commands with server privileges, potentially leading to lateral movement, data exfiltration, or deployment of persistent backdoors.
Likely Case
Attackers gain remote code execution on the Caldera server, enabling them to steal credentials, manipulate red team operations, or pivot to other systems in the network.
If Mitigated
If proper network segmentation and access controls are implemented, impact may be limited to the Caldera server itself without lateral movement capabilities.
🎯 Exploit Status
The vulnerability allows exploitation via crafted web requests to a specific API endpoint without authentication requirements.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 35bc06e and later versions
Vendor Advisory: https://github.com/mitre/caldera/security
Restart Required: Yes
Instructions:
1. Update Caldera to version containing commit 35bc06e or later. 2. Pull the latest code from the official repository. 3. Restart the Caldera server service. 4. Verify the fix by checking the commit hash.
🔧 Temporary Workarounds
Disable agent compilation API endpoint
allTemporarily disable the vulnerable API endpoint used for agent compilation
Modify Caldera configuration to disable /api/v2/agents/compile endpoint
Network access restrictions
allRestrict network access to Caldera server API endpoints
Configure firewall rules to limit access to Caldera API endpoints to trusted IPs only
🧯 If You Can't Patch
- Isolate the Caldera server in a dedicated network segment with strict egress filtering
- Implement web application firewall rules to block requests containing suspicious gcc linker flags
🔍 How to Verify
Check if Vulnerable:
Check if Caldera version is before commit 35bc06e by examining the git commit hash or version numberCheck Version:
git log --oneline -1Verify Fix Applied:
Verify the current commit hash includes 35bc06e or later, and test that the agent compilation endpoint properly validates input📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /api/v2/agents/compile endpoint
- Log entries showing gcc compilation with suspicious -extldflags parameters
- Unexpected process execution from Caldera server
Network Indicators:
- HTTP POST requests to Caldera API containing gcc linker flags
- Unusual outbound connections from Caldera server
SIEM Query:
source="caldera.log" AND (uri="/api/v2/agents/compile" OR message="-extldflags")🔗 References
- https://github.com/mitre/caldera/commit/35bc06e42e19fe7efbc008999b9f993b1b7109c0
- https://github.com/mitre/caldera/pull/3129
- https://github.com/mitre/caldera/pull/3131/commits/61de40f92a595bed462372a5e676c2e5a32d1050
- https://github.com/mitre/caldera/releases
- https://github.com/mitre/caldera/security
- https://medium.com/@mitrecaldera/mitre-caldera-security-advisory-remote-code-execution-cve-2025-27364-5f679e2e2a0e
- https://medium.com/@mitrecaldera/mitre-caldera-security-advisory-remote-code-execution-cve-2025-27364-5f679e2e2a0e
