MITRE Caldera Vulnerability

By Christian Mary Lagua on March 7, 2025

Executive Summary

A critical vulnerability, CVE-2025-27364, targets MITRE Caldera. It allows for the execution of remote code without authentication. Patches have been made for all affected versions.

Background

On February 24, 2025, the National Vulnerability Database published CVE-2025-27364, a vulnerability in MITRE Caldera [3]. Caldera is a tool built on the MITRE ATT&CK framework. It serves as a platform used by organizations for adversary emulation, red teaming, and incident response [1]. The problem exists in the Application Programming Interface (API) server, where Sandcat and Manx agents (reverse shells) are compiled dynamically [2]. The server lacks authentication for HTTP(S) web requests related to agent compilation, exposing compiler control options that allow attackers to execute arbitrary code.

The weakness impacts all versions up to and including 4.2.0 and 5.0.0. Due to severity, it was given a maximum score of 10 based on the Common Vulnerability Scoring System. A patch was announced on GitHub on February 17, 2025, under version 5.1.0. Users operating affected releases are advised to update immediately.

Exploitation

The exploitation of CVE-2025-27364 allows for command injection attacks by abusing linker flags in the GCC compiler with sub-commands. A successful execution of a crafted curl command tricks the server into running malicious commands. This bypasses authentication and exploits the vulnerable dynamic agent compilation by manipulating compiler controls.

Significance and Impact

A successful exploitation of CVE-2025-27364 could result in full system compromise. Organizations using impacted versions of Caldera may face severe security threats, increasing their exposure to further attacks and potentially compromising additional systems [4]. This could lead to data breaches and operational disruptions.

Mitigation

To mitigate CVE-2025-27364, organizations should apply the latest security patches and conduct regular security testing to minimize the risk of exploitation. APIs should be properly secured by implementing authentication, authorization, and accounting. This ensures only authorized users have access to API endpoints. Additionally, deploying intrusion detection systems to monitor unauthorized activity and detect exploitation attempts. These measures strengthen security against CVE-2025-27364.

Conclusion

The consequences that come with CVE-2025-27364 are severe to organizations utilizing affected versions of MITRE Caldera. Without the authentication in Caldera’s API server, attackers are able to exploit unauthorized Sandcat and Manx agents to execute malicious codes. Organizations should apply the latest patch and implement security measures for mitigation.

References

[1] GitHub. (2025, February 17). “MITRE Caldera.” GitHub https://github.com/mitre/caldera

[2] Kulikowski, D. (2025, February). “MITRE Caldera Security Advisory — Remote Code Execution (CVE-2025–27364).” Medium. https://medium.com/@mitrecaldera/mitre-caldera-security-advisory-remote-code-execution-cve-2025-27364-5f679e2e2a0e

[3] National Institute of Standards and Technology. (2025, February 24). “CVE-2025-27364.” National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2025-27364

[4] Telychko, V. (2025, February 25). “CVE-2025–27364 in MITRE Caldera: Exploitation of a New Max-Severity RCE Vulnerability via Linker Flag Manipulation Can Lead to Full System Compromise.” SOC Prime. https://socprime.com/blog/cve-2025-27364-rce-vulnerability-in-mitre-caldera/