A critical remote code execution (RCE) vulnerability (CVE-2025-27364) has been discovered in all versions of MITRE Caldera prior to commit 35bc06e, exposing systems to potential attacks by unauthenticated attackers.
The flaw exists in Caldera’s Sandcat and Manx agents, which are reverse shells used for red team operations. The vulnerability lies in the dynamic compilation mechanism that generates implants, requiring only Go, Python, and GCC—dependencies already present in default Caldera installations.
Security researcher Dawid Kulikowski reported the flaw through MITRE’s coordinated disclosure process.
Vulnerability Origin in Dynamic Compilation
Caldera’s Sandcat and Manx agents use the dynamic compilation endpoint (/file/compile) to create implants based on parameters such as communication protocols and encryption keys. These parameters are passed via HTTP headers when agents are retrieved. The endpoint lacks authentication, enabling unauthenticated access to the compilation process.
The vulnerability stems from improper handling of user-controlled linker flags (ldflags) passed to the compile_go() function. Though Caldera developers used subprocess.check_output() without shell=True to prevent command injection, the attack surface expanded due to linker flag manipulation.
Specifically, attackers exploited Go’s linker toolchain’s -extld and -extldflags parameters, which allowed them to use GCC’s -wrapper option for indirect command execution.
Exploitation via Linker Flag Manipulation
Attackers bypassed typical command injection defenses by using the -extld flag to specify GCC as the external linker and injecting the -wrapper parameter. This GCC feature allows arbitrary command execution by routing subprocess calls through a user-defined binary, executing the attacker’s code while maintaining the legitimate compilation process to avoid detection.
Proof of Concept (PoC)
A successful attack could be demonstrated using a simple curl command to trigger a reverse shell on the Caldera server. Upon successful exploitation, the Caldera server executes the attacker’s embedded Python script, providing the attacker with a reverse shell with root privileges.
Mitigation and Recommendations
MITRE has issued an urgent advisory, recommending the following actions:
- Update Caldera to version 5.1.0 or later, which restricts linker flag modifications and validates compilation parameters.
- Isolate Caldera servers from sensitive environments to limit lateral movement.
- Remove unnecessary build tools (e.g., GCC) from production systems running Caldera.
Organizations using Caldera for testing or training should audit their instances for signs of exploitation, including unexpected processes or network connections originating from Caldera servers.
