cbcvebase.
CVE-2025-27364
published 2025-02-24

CVE-2025-27364: In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation…

PriorityP278critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
23.81%
97.5th percentile
In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants). This web request can use the gcc -extldflags linker flag with sub-commands.

Affected

3 ranges
VendorProductVersion rangeFixed in
mitrecaldera<= 4.2.0
mitrecaldera
msrccbl2_kernel_5.10.78.1-1_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

url/file/download
commandgcc -extldflags
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MITRE Caldera Remote Code Execution (CVE-2025-27364)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file/download"; fast_pattern; http.header; content:"file|3a 20|"; content:"platform|3a 20|"; pcre:"/(?:contact|socket|http)\x3a\x20[^\x0d\x0a]*?extld(?:flags)?/i"; reference:url,nvd.nist.gov/vuln/detail/CVE-2025-27364; reference:cve,2025-27364; classtype:web-application-attack; sid:2060372; rev:2; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_02_25, cve CVE_2025_27364, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_02_28, reviewed_at 2025_07_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit is triggered via a crafted HTTP GET request to the Caldera server API endpoint /file/download, with HTTP headers containing 'file:' and 'platform:' fields embedding the gcc -extldflags linker flag with malicious sub-commands.
  • The vulnerability can be triggered without authentication, making unauthenticated HTTP GET requests to /file/download a high-fidelity detection signal.
  • Look for the string 'extldflags' or 'extld' appearing in HTTP headers (specifically in 'contact:', 'socket:', or 'http:' header values) in requests to the Caldera agent download API, as this is the injection vector for the RCE payload.
  • The attack targets the dynamic agent (implant) compilation functionality used for compiling and downloading Sandcat or Manx agents; monitor for unexpected process spawning (e.g., gcc, go, python) from the Caldera server process.
  • ·Affected versions are MITRE Caldera through 4.2.0 and 5.0.0 before commit 35bc06e. Ensure the fix at commit 35bc06e or later is applied.
  • ·Default Caldera installations are at heightened risk because Go, Python, and GCC — the dependencies required for exploitation — are typically present in default configurations.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_msrc7.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.