Expert Insights on Cybersecurity for Mid-Market Businesses | Managed XDR Blog

Critical RCE Vulnerability Found in MITRE Caldera (CVE-2025-27364)

Written by Katie MacDonald | Mar 3, 2025 8:24:54 PM

Severity: Critical (CVSS 10.0)
Impacted Versions: MITRE Caldera ≤ 4.2.0 and 5.0.0 (prior to commit 35bc06e)

Gradient Cyber has identified a critical Remote Code Execution (RCE) vulnerability in MITRE Caldera, the widely used adversary emulation platform.

Tracked as CVE-2025-27364, this vulnerability affects Caldera’s dynamic agent (implant) compilation functionality. By sending specially crafted web requests to the Caldera API, remote attackers can execute arbitrary code on the host running Caldera.

This flaw impacts Caldera versions through 4.2.0 and 5.0.0 (prior to commit 35bc06e) and has been assigned the highest severity rating of 10.0.

What’s at Risk

If exploited, this vulnerability could allow attackers to:

  • Gain full control of the Caldera server
  • Deploy malicious agents disguised as legitimate Sandcat or Manx implants
  • Move laterally into connected systems and networks
  • Interrupt red team operations and security testing
  • Execute arbitrary code with potentially elevated privileges

For organizations relying on Caldera in production environments, this vulnerability poses serious operational and security risks.

Technical Details

  • CVE: CVE-2025-27364
  • Severity: Critical (10.0)
  • Attack Vector: Remote via crafted API web requests
  • Impacted Versions:
    • All versions up to 4.2.0
    • Version 5.0.0 prior to commit 35bc06e
  • Affected Components:
    • Sandcat agent compilation
    • Manx agent compilation

Mitigation Steps

Gradient Cyber strongly recommends the following:

  1. Apply the latest patch: Upgrade Caldera beyond commit 35bc06e as soon as possible.
  2. Limit network exposure: Ensure Caldera servers are not publicly accessible and restrict access to trusted networks.
  3. Audit your environment: Review Caldera logs for unusual API activity or unauthorized agent compilations.
  4. Monitor for threats: Watch for indicators of compromise related to unauthorized code execution on your Caldera host.

For the latest updates and official guidance, please refer to MITRE’s security advisory.

Gradient Cyber’s Perspective

Tools like MITRE Caldera are essential for security testing—but when they’re compromised, they can quickly become a direct path for real-world attackers. This vulnerability underscores the importance of proactive patching, secure configurations, and ongoing monitoring of even your internal security platforms.

Gradient Cyber is actively tracking this vulnerability and monitoring for signs of exploitation. We’ll continue to provide updates as new information emerges.

Need Assistance?

If you’re unsure whether your environment is exposed—or if you need help with detection, response, or mitigation—Gradient Cyber is here to support you.

Contact our team today.
View full post