MITRE Caldera is an open-source cyber security platform designed for automating adversary emulation, red teaming, and threat hunting. It allows security teams to simulate real-world cyber threats, test defences, and improve incident response.
A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-27364, has been discovered in MITRE Caldera versions up to 4.2.0 and 5.0.0 (prior to commit 35bc06e). This flaw resides in the dynamic agent (implant) compilation functionality of the Caldera server, allowing remote attackers to execute arbitrary code on the host system via crafted web requests to the server's API.
Attackers can exploit this by sending specially crafted requests to the Caldera server API responsible for compiling and downloading agents like Sandcat or Manx.
The misuse of the gcc -extldflags linker flag with sub-commands enables arbitrary code execution on the server.
Affected Versions:
MITRE Caldera versions up to 4.2.0 and 5.0.0 (prior to commit 35bc06e).
Impact:
This vulnerability poses a severe security risk, allowing unauthenticated remote attackers to execute arbitrary code directly on the Caldera server. A successful exploit could result in complete system compromise, granting attackers full control over the affected server. This could lead to data theft, unauthorized command execution, persistence mechanisms, and potential lateral movement across the network, significantly amplifying the threat scope.
With a CVSS v3.1 score of 10.0 (Critical)—the highest possible severity rating—this vulnerability is highly exploitable, requires no privileges, no user interaction, and has devastating consequences.
Immediate update recommended: Users should upgrade to the latest version of MITRE Caldera. The issue has been resolved in commit 35bc06e. Updating to this or later versions mitigates the vulnerability.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.