FlagThis

A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-27364, has been discovered in MITRE Caldera, a widely used adversarial emulation framework. This flaw allows attackers to remotely execute arbitrary code on affected Caldera servers. The vulnerability stems from Caldera's dynamic agent compilation functionality, which can be manipulated through crafted web requests. This poses a significant security risk, especially given Caldera's use in penetration testing and security automation, potentially granting attackers full control over compromised systems.

Versions of MITRE Caldera through 4.2.0 and 5.0.0 before commit 35bc06e are vulnerable and require immediate patching. The unauthenticated API endpoint in Caldera’s agent compilation process can be exploited by injecting arbitrary commands during compilation, specifically by abusing the `-extldflags` linker flag in GCC. This allows attackers to deploy rogue Sandcat or Manx agents, which can then execute commands on the compromised system leading to data exfiltration and further attacks on connected assets. Proof-of-Concept exploit details are publicly available.

ImgSrc: blogger.googleu

References :

• community.emergingthreats.net: MITRE Caldera Remote Code Execution (CVE-2025-27364)
• gbhackers.com: Critical RCE Vulnerability in MITRE Caldera – Proof of Concept Released
• socradar.io: Security Alert: Critical Flaws in MITRE Caldera and Parallels Desktop (CVE-2025-27364, CVE-2024-34331)

Classification:

• HashTags: #Vulnerability #RCE #MITRECaldera
• Company: MITRE
• Target: Caldera Servers
• Product: Caldera
• Feature: Remote Code Execution
• Type: Vulnerability
• Severity: Critical