A novel max-severity RCE vulnerability (CVE-2025-27364) in MITRE Caldera poses a serious risk of system compromise. The flaw can also be chained with another Parallels Desktop security issue, CVE-2024-34331, to double the risks of threats. If exploited, these security issues could provide hackers with full system control, causing unauthorized access, data breaches, and further lateral movement within an impacted network.
With the rapid rise in weaponized CVEs, the need for proactive threat detection has never been more urgent. At the turn of 2025, the NIST NVD has already recorded 6,480 new security issues, many of which have already been leveraged in real-world attacks. As cyber threats continue to evolve, security teams worldwide must prioritize early detection strategies to stay ahead of exploitation attempts and mitigate risks effectively.
SOC Prime Platform for collective cyber defense empowers security teams with global active threats feed, real-time CTI, and curated detection algorithms to spot and mitigate attacks leveraging weaponized CVEs at their earliest stages. Register to the Platform to access an extensive library of Sigma rules backed by a complete product suite for advanced threat detection & hunting. Also, you can check our rules library filtered out with the “CVE” tag by hitting Explore Detections below, so you won’t miss any threat potentially challenging your business, as detections are added daily.
All the rules can be used across multiple security analytics solutions and are mapped to the MITRE ATT&CK framework to smooth out threat research. Additionally, detections are enriched with detailed metadata, including CTI references, attack timelines, triage recommendations, and more.
CVE-2025-27364 Analysis
Defenders have recently unveiled a novel RCE flaw in MITRE Caldera versions up to 4.2.0 and 5.0.0 (before commit 35bc06e) tracked as CVE-2025-27364 (CVSS 10.0). The latter impacts the server’s ability to compile dynamic agents (implants). This maximum severity flaw is especially hazardous since it requires no authentication for attackers to weaponize. Hackers can take advantage of the impacted API to insert malicious code into the compilation process, resulting in the installation of unauthorized Sandcat or Manx agents. Adversaries can weaponize this flaw by abusing the gcc -extldflags linker flag with sub-commands. Given Caldera’s extensive role in penetration testing and adversary emulation, this security flaw poses a considerable risk to businesses that depend on the platform for red teaming and security automation.
The release of a CVE-2025-27364 PoC significantly increases the risks of real-world exploitation. Executing a specific curl command makes the flaw easy to exploit. A successful attack launches a reverse shell, running a Python script that provides threat actors with root access.
Notably, CVE-2025-27364 can also be leveraged in the attack chain along with CVE-2024-34331, an older, unresolved security issue in Parallels Desktop, which can lead to local privilege escalation on macOS systems. If exploited, both flaws could allow hackers to gain full control of the targeted system, leading to unauthorized access, data breaches, and network compromise.
To timely address CVE-2025-27364 exploitation risks, defenders recommend promptly updating to the latest fixed version by pulling either the Master branch or version 5.1.0 and above. In addition, to safeguard networks potentially vulnerable to CVE-2025-27364 exploitation, users are also prompted to restrict access to Caldera’s API with network segmentation and rigid controls and constantly keep track of unusual agent compilations or API activity to proactively detect threats. SOC Prime Platform for collective cyber defense helps organizations outscale cyber threats no matter their sophistication by relying on its complete product suite powered by AI, actionable threat intelligence, and advanced automated capabilities to smoothly adopt a next-gen SOC strategy.
The post CVE-2025–27364 in MITRE Caldera: Exploitation of a New Max-Severity RCE Vulnerability via Linker Flag Manipulation Can Lead to Full System Compromise appeared first on SOC Prime.
