How to Fix CVE-2025-27364: Remote Code Execution in MITRE Caldera Servers?

MITRE Caldera, a widely used adversary emulation system, has been found vulnerable to a critical Remote Code Execution (RCE) flaw. Identified as CVE-2025-27364, this vulnerability allows unauthenticated attackers to execute arbitrary code on the Caldera server, potentially leading to complete system compromise. This article provides security professionals with a comprehensive guide to understanding, detecting, and mitigating this high-severity vulnerability. Addressing this flaw is paramount to maintaining the integrity and security of systems utilizing MITRE Caldera. This article provides a comprehensive guide to understanding, detecting, and mitigating this high-severity vulnerability. You can find more details about the vulnerability here.

A Short Introduction to MITRE Caldera

MITRE Caldera is an open-source, automated adversary emulation system designed to help organizations test and improve their cybersecurity defenses. It operates by executing pre-defined attack scenarios (called "abilities") against a target environment, allowing security teams to observe and analyze the effectiveness of their detection and response capabilities. Caldera's modular architecture and flexible configuration make it a valuable tool for red teams, penetration testers, and security operations teams seeking to proactively identify and address security weaknesses. The tool is available for Linux, MacOS and Windows based systems. You can read more on MITRE Caldera security advisory.

Summary of CVE-2025-27364

CVE-2025-27364 is a critical vulnerability stemming from an OS Command Injection flaw in the dynamic agent (implant) compilation functionality of the MITRE Caldera server. Specifically, the vulnerability resides in how the server handles the gcc -extldflags linker flag with sub-commands during the agent compilation process. An unauthenticated attacker can exploit this flaw by sending a specially crafted web request to the Caldera server API used for compiling and downloading Sandcat or Manx agents. The improper neutralization of special elements allows the attacker to inject arbitrary OS commands, leading to remote code execution with the privileges of the Caldera server process.

Impact of CVE-2025-27364

The impact of CVE-2025-27364 is severe, as it allows an unauthenticated remote attacker to execute arbitrary code on the Caldera server. This can lead to a complete compromise of the system, enabling the attacker to:

The vulnerability allows full remote code execution without any user interaction. Due to the high level of access gained, the attacker can perform any action on the server, leading to potentially catastrophic consequences for the organization's security posture. The lack of required authentication makes this flaw particularly dangerous. Understanding what is a vulnerability is crucial to mitigating such risks.

Products Affected by CVE-2025-27364

The following versions of MITRE Caldera are affected by this vulnerability:

The patched version is 35bc06e of MITRE Caldera and all subsequent versions. It is imperative that users running the affected versions immediately update their installations to the patched version to mitigate the risk. The patched version commit on GitHub provides detailed fixes.

How to Check If Your Product is Vulnerable?

To determine if your MITRE Caldera server is vulnerable to CVE-2025-27364, follow these steps:

1. Check the Caldera Version: Log in to your Caldera server and check the installed version number. You can usually find this information in the Caldera web interface (often in the "About" section) or by using the Caldera command-line interface. If the version is 4.2.0 or 5.0.0 (before commit 35bc06e), your system is vulnerable.

2. Examine Server Logs: Analyze the Caldera server logs for any suspicious API calls related to agent compilation. Look for unusual requests containing potentially malicious commands or unexpected characters in the extldflags parameter.

3. Network Traffic Analysis: Monitor network traffic to and from the Caldera server for any suspicious activity. Look for unusual POST requests to the agent compilation API endpoint.

4. Check git commit: if you installed from source code, cd to the directory of the caldera installation, and run git rev-parse HEAD. Compare the result of the command with 35bc06e. If the commit is older than this, your product is vulnerable. Use Amass for network mapping.

How to Fix CVE-2025-27364?

The primary remediation strategy for CVE-2025-27364 is to update MITRE Caldera to the patched version (35bc06e or later). Follow these steps to address the vulnerability:

1. Update Caldera: Immediately update your MITRE Caldera installation to the patched version (35bc06e or later). Refer to the official MITRE Caldera documentation for detailed instructions on how to update the software.

2. Restrict Network Access: Implement strict network access controls to limit access to the Caldera server. Only allow authorized users and systems to access the server, and restrict access from untrusted networks.

3. Implement Network Segmentation: Segment your network to isolate the Caldera server from other critical systems. This can help prevent an attacker from pivoting to other parts of the network if the Caldera server is compromised.

4. Use a Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) to filter malicious requests to the Caldera server. Configure the WAF to block requests containing suspicious commands or unexpected characters in the extldflags parameter.

5. Monitor Server Logs: Continuously monitor the Caldera server logs for any suspicious API calls or other unusual activity. Set up alerts to notify you of any potential security incidents. Security logging and monitoring is essential.

6. Temporarily Disable the Agent Compilation API: If agent compilation is not immediately necessary, consider temporarily disabling the API to reduce the attack surface.

7. Conduct a Security Audit: After a potential compromise, conduct a thorough security audit of the Caldera server and related systems to identify any residual malware or unauthorized access.

There are no workarounds available, so you should apply the patch as soon as possible. Consider learning more about the MITRE ATT&CK framework for better threat hunting.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: