MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364)
Users of the MITRE Caldera cyber security platform have been urged to plug a critical hole (CVE-2025–27364) that may allow unauthenticated attackers to achieve remote code execution.
About MITRE Caldera
MITRE Caldera is a platform built on the MITRE ATT&CK framework and is used by cybersecurity teams for adversary emulation, to evaluate detections and defensive tools, train red and blue teamers, testing cyber ranges, and so on.
It consists of a core system (including a command-and-control server with a REST API and a web interface) and plugins (agents, collections of TTPs, etc.) to expand its capabilities. Some of the plugins are maintaned by the Caldera team and are included by default, while others are maintained by third parties and have to be additionally installed by users.
MITRE Caldera can be installed on Linux or macOS machines and require Python 3.9+, GoLang 1.17+, and the NodeJS JavaScript runtime environment to be installed for all of it to function as it should.
About CVE-2025–27364
CVE-2025–27364 is an OS command injection vulnerability affecting all versions of MITRE Caldera up until 4.2.0 and 5.0.0. The vulnerability was discovered and reported by Dawid Kulikowski, a contributor to the project, who also helped create the patch for it.
“The vulnerability originates in the dynamic compilation functionality of the Caldera Manx and Sandcat agents (implants),” the Caldera team explained.
The vulnerability allows remote unauthenticated attackers to execute arbitrary code on the server that Caldera is running on, by sending a specially crafted HTTPS request to the Caldera server API used for compiling and downloading the two aforementioned agents.
Several conditions have to be present for a successful attack: the system running the Caldera server also has to have Go(Lang), Python and GNU Compiler Collection (GCC) installed. But, as the team noted, “all of these dependencies are required for Caldera to be fully-functional in the first place and on many distributions, GCC is a dependency of Go, meaning this vulnerability is extremely likely to be available to an attacker.”
The team also published proof-of-exploit (PoC) code, though it made a slight change to prevent it being used as-is by script kiddies. Still, more experienced exploit writers will be able to tweak it by analyzing Caldera’s source code.
CVE-2025–27364 has been fixed in Caldera v5.1.0. Kulikowski will be releasing a Metasploit module for the flaw in the coming weeks, so the team recommends that users update their instances quickly and/or make them inaccessible from the internet.
Read more: Top 10 free MITRE ATT&CK tools and resources
Microsoft Exposes LLMjacking Cybercriminals Behind Azure AI Abuse Scheme
RDP: a Double-Edged Sword for IT Teams – Essential Yet Exploitable
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner
