CVE-2025-27364

CVE-2025-27364 is a remote code execution (RCE) vulnerability in the dynamic agent compilation functionality of the MITRE Caldera server, affecting versions through 4.2.0 and 5.0.0 before commit 35bc06e. The flaw resides in the server API endpoint used for compiling and downloading Caldera's Sandcat or Manx agents (implants), where attackers can abuse the gcc -extldflags linker flag to inject sub-commands. It has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is linked to CWE-78 (OS Command Injection).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By sending a crafted web request to the Caldera server API, they can execute arbitrary code directly on the host system running the server, potentially leading to full compromise including data theft, persistence, or further lateral movement.

Mitigation involves applying patches from the referenced GitHub commits and pull requests, such as commit 35bc06e42e19fe7efbc008999b9f993b1b7109c0 in PR #3129 and the commit 61de40f92a595bed462372a5e676c2e5a32d1050 in PR #3131. Users should update to a fixed release via the Caldera releases page or consult the project's security advisories for details on vulnerable configurations and verification steps.