Cyber Resilience

CVE-2025-27364

CriticalRCE

Published: 24 February 2025

Published
24 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.2633 96.4th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27364 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-27364 is a remote code execution vulnerability in MITRE Caldera through version 4.2.0 and in 5.0.0 prior to commit 35bc06e. The flaw resides in the server's dynamic agent compilation feature, specifically the API endpoint that compiles and serves Sandcat or Manx implants. It stems from insufficient sanitization of parameters passed to gcc, allowing the -extldflags linker flag to inject arbitrary sub-commands and is tracked as CWE-78.

Unauthenticated remote attackers can exploit the issue by submitting a crafted web request to the Caldera server API. Successful exploitation grants arbitrary code execution on the host running the Caldera server, with full impact on confidentiality, integrity, and availability and a changed scope as reflected in the CVSS 10.0 rating.

The referenced GitHub commit, pull requests, and release notes indicate that the vulnerability is addressed by applying the changes in 35bc06e; administrators should update to a patched Caldera release. The associated EPSS score has remained stable at 0.2633 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera…

more

is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants). This web request can use the gcc -extldflags linker flag with sub-commands.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

RCE via command injection in public-facing Caldera server API directly enables T1190 for initial access and T1059.004 for arbitrary Unix shell command execution on the host.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78
CVE-2026-23592Shared CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of web request inputs to the Caldera server API to block OS command injection via crafted gcc -extldflags parameters.

prevent

Mandates timely identification, reporting, and patching of the RCE flaw in the agent compilation functionality as specified in the CVE mitigation.

prevent

Enforces least privilege on the Caldera server process to limit the scope and impact of arbitrary code execution even if injection succeeds.

References