Max-Severity Bug in Caldera Enables Attackers to Take Full Control of Systems
Real-life hackers could hack a platform used in red team exercises to simulate hacking, said a security researcher who warned users that he’ll soon drop a Metasploit module for the flaw.
See Also: Live Webinar | API Security Matters: The Risks of Turning a Blind Eye
“So patch your instances! Or even better – don’t expose them to the internet!” wrote independent security researcher Dawid Kulikowski, a contributor to the Mitre Caldera open-source security testing platform.
Kulikowski identified a flaw in the platform that merits a rare 10 out of 10 for severity of the CVSS scale. Tracked as CVE-2025-27364, it works in default configurations of Caldera so long as the programming languages Go and Python and the GNU compiler collection are present on the same server as Caldera software. That’s much more likely than not: “All of these dependencies are required for Caldera to be fully functional in the first place,” Kulikowski wrote.
Hackers could use the flaw to inject and execute malicious code with the same privileges as the server, potentially leading to full system compromise.
The flaw affects every instance of Caldera stretching back to initial versions made in 2017 except the most recent version – Master branch or v5.1.0+ – which contains a patch.
Caldera is an open-source platform designed to mimic real-world cyberthreats and help organizations test their security defenses. Red teams use it to simulate attacks, while blue teams analyze and respond to these threats in a controlled environment. The platform automates adversary tactics, deploying agents that move through networks like real attackers would.
Attackers can exploit CVE-2025-27364 by sending specially crafted API requests. The vulnerability is linked to Manx and Sandcat, two core components of the platform that facilitate adversary emulation and red-teaming exercises. Sandcat is a default agent for simulating attacker behavior that enables automated threat actions. Manx functions as a reverse shell, allowing remote command execution on compromised systems.
The flaw lies in how these agents handle dynamic compilation, a feature that enables users to customize how they operate in different environments. Through specially crafted HTTP headers, users can define critical parameters such as the agent’s communication method, encryption keys and the server address it connects to for receiving instructions. The system compiles the agent on the fly, embedding these parameters directly into the generated binary. This same mechanism can be exploited, enabling attackers to inject arbitrary code and gain full control over the system.
Kulikowski found that the Caldera server lacks proper authentication mechanisms when handling dynamic compilation, allowing attackers to inject malicious commands into systems running the affected agents. To demonstrate the impact, he developed a proof-of-concept exploit for CVE-2025-27364. While he published the PoC alongside his analysis, he made slight modifications to the code “to prevent script kiddies from being able to easily abuse it.”
That restraint will last only so long. “The reporting author intends to release a fully-featured Metasploit module in the coming week(s),” he wrote.