CVE-2025-27364
Published: 24 February 2025
Summary
CVE-2025-27364 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of web request inputs to the Caldera server API to block OS command injection via crafted gcc -extldflags parameters.
Mandates timely identification, reporting, and patching of the RCE flaw in the agent compilation functionality as specified in the CVE mitigation.
Enforces least privilege on the Caldera server process to limit the scope and impact of arbitrary code execution even if injection succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via command injection in public-facing Caldera server API directly enables T1190 for initial access and T1059.004 for arbitrary Unix shell command execution on the host.
NVD Description
In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera…
more
is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants). This web request can use the gcc -extldflags linker flag with sub-commands.
Deeper analysisAI
CVE-2025-27364 is a remote code execution (RCE) vulnerability in the dynamic agent compilation functionality of the MITRE Caldera server, affecting versions through 4.2.0 and 5.0.0 before commit 35bc06e. The flaw resides in the server API endpoint used for compiling and downloading Caldera's Sandcat or Manx agents (implants), where attackers can abuse the gcc -extldflags linker flag to inject sub-commands. It has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is linked to CWE-78 (OS Command Injection).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By sending a crafted web request to the Caldera server API, they can execute arbitrary code directly on the host system running the server, potentially leading to full compromise including data theft, persistence, or further lateral movement.
Mitigation involves applying patches from the referenced GitHub commits and pull requests, such as commit 35bc06e42e19fe7efbc008999b9f993b1b7109c0 in PR #3129 and the commit 61de40f92a595bed462372a5e676c2e5a32d1050 in PR #3131. Users should update to a fixed release via the Caldera releases page or consult the project's security advisories for details on vulnerable configurations and verification steps.
Details
- CWE(s)