CVE-2025-27364
Published: 24 February 2025
Summary
CVE-2025-27364 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-27364 is a remote code execution vulnerability in MITRE Caldera through version 4.2.0 and in 5.0.0 prior to commit 35bc06e. The flaw resides in the server's dynamic agent compilation feature, specifically the API endpoint that compiles and serves Sandcat or Manx implants. It stems from insufficient sanitization of parameters passed to gcc, allowing the -extldflags linker flag to inject arbitrary sub-commands and is tracked as CWE-78.
Unauthenticated remote attackers can exploit the issue by submitting a crafted web request to the Caldera server API. Successful exploitation grants arbitrary code execution on the host running the Caldera server, with full impact on confidentiality, integrity, and availability and a changed scope as reflected in the CVSS 10.0 rating.
The referenced GitHub commit, pull requests, and release notes indicate that the vulnerability is addressed by applying the changes in 35bc06e; administrators should update to a patched Caldera release. The associated EPSS score has remained stable at 0.2633 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4278
Vulnerability details
In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera…
more
is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants). This web request can use the gcc -extldflags linker flag with sub-commands.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via command injection in public-facing Caldera server API directly enables T1190 for initial access and T1059.004 for arbitrary Unix shell command execution on the host.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of web request inputs to the Caldera server API to block OS command injection via crafted gcc -extldflags parameters.
Mandates timely identification, reporting, and patching of the RCE flaw in the agent compilation functionality as specified in the CVE mitigation.
Enforces least privilege on the Caldera server process to limit the scope and impact of arbitrary code execution even if injection succeeds.