CVE-2025-27364
published 2025-02-24CVE-2025-27364: In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation…
PriorityP278critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
23.81%
97.5th percentile
In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants). This web request can use the gcc -extldflags linker flag with sub-commands.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mitre | caldera | <= 4.2.0 | — |
| mitre | caldera | — | — |
| msrc | cbl2_kernel_5.10.78.1-1_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MITRE Caldera Remote Code Execution (CVE-2025-27364)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file/download"; fast_pattern; http.header; content:"file|3a 20|"; content:"platform|3a 20|"; pcre:"/(?:contact|socket|http)\x3a\x20[^\x0d\x0a]*?extld(?:flags)?/i"; reference:url,nvd.nist.gov/vuln/detail/CVE-2025-27364; reference:cve,2025-27364; classtype:web-application-attack; sid:2060372; rev:2; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_02_25, cve CVE_2025_27364, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_02_28, reviewed_at 2025_07_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit is triggered via a crafted HTTP GET request to the Caldera server API endpoint /file/download, with HTTP headers containing 'file:' and 'platform:' fields embedding the gcc -extldflags linker flag with malicious sub-commands.
- →The vulnerability can be triggered without authentication, making unauthenticated HTTP GET requests to /file/download a high-fidelity detection signal. ↗
- →Look for the string 'extldflags' or 'extld' appearing in HTTP headers (specifically in 'contact:', 'socket:', or 'http:' header values) in requests to the Caldera agent download API, as this is the injection vector for the RCE payload.
- →The attack targets the dynamic agent (implant) compilation functionality used for compiling and downloading Sandcat or Manx agents; monitor for unexpected process spawning (e.g., gcc, go, python) from the Caldera server process. ↗
- ·Affected versions are MITRE Caldera through 4.2.0 and 5.0.0 before commit 35bc06e. Ensure the fix at commit 35bc06e or later is applied. ↗
- ·Default Caldera installations are at heightened risk because Go, Python, and GCC — the dependencies required for exploitation — are typically present in default configurations. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_msrc7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3xgj-vqg4-h895: In MITRE Caldera through 4
ghsa_unreviewed·2025-02-24
CVE-2025-27364 [CRITICAL] CWE-78 GHSA-3xgj-vqg4-h895: In MITRE Caldera through 4
In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants). This web request can use the gcc -extldflags linker flag with sub-commands.
Microsoft
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
vendor_msrc·2021-03-09·CVSS 7.1
CVE-2021-27364 [HIGH] CWE-125 An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect t
Suricata
ET WEB_SPECIFIC_APPS MITRE Caldera Remote Code Execution (CVE-2025-27364)
suricata·2025-02-25·CVSS 10.0
CVE-2025-27364 [CRITICAL] ET WEB_SPECIFIC_APPS MITRE Caldera Remote Code Execution (CVE-2025-27364)
ET WEB_SPECIFIC_APPS MITRE Caldera Remote Code Execution (CVE-2025-27364)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MITRE Caldera Remote Code Execution (CVE-2025-27364)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file/download"; fast_pattern; http.header; content:"file|3a 20|"; content:"platform|3a 20|"; pcre:"/(?:contact|socket|http)\x3a\x20[^\x0d\x0a]*?extld(?:flags)?/i"; reference:url,nvd.nist.gov/vuln/detail/CVE-2025-27364; reference:cve,2025-27364; classtype:web-application-attack; sid:2060372; rev:2; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_02_25, cve CVE_2025_27364, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit
No public exploits indexed.
https://github.com/mitre/caldera/commit/35bc06e42e19fe7efbc008999b9f993b1b7109c0https://github.com/mitre/caldera/pull/3129https://github.com/mitre/caldera/pull/3131/commits/61de40f92a595bed462372a5e676c2e5a32d1050https://github.com/mitre/caldera/releaseshttps://github.com/mitre/caldera/securityhttps://medium.com/@mitrecaldera/mitre-caldera-security-advisory-remote-code-execution-cve-2025-27364-5f679e2e2a0ehttps://medium.com/@mitrecaldera/mitre-caldera-security-advisory-remote-code-execution-cve-2025-27364-5f679e2e2a0e
2025-02-24
Published