“`html
CrowdStrike has unveiled and issued patches for two medium-severity vulnerabilities within its Falcon sensor for Windows that might enable an attacker to remove arbitrary files.
The security flaws, identified as CVE-2025-42701 and CVE-2025-42706, necessitate that an attacker has already obtained the capability to execute code on a targeted system.
The organization has indicated that there is no indication of these vulnerabilities being utilized in the wild and that remedies are accessible for all impacted clients.
CrowdStrike Falcon Windows Sensor Vulnerability
The two vulnerabilities stem from distinct categories of weaknesses in the Falcon sensor software.
The first, CVE-2025-42701, represents a Time-of-check Time-of-use (TOCTOU) race condition, classified under CWE-367. This vulnerability has received a CVSS 3.1 score of 5.6 (Medium).
The second, CVE-2025-42706, is a logical flaw concerning origin validation (CWE-346) and holds a marginally elevated CVSS 3.1 rating of 6.5 (Medium).
Both vulnerabilities offer a means for a threat actor who has already infiltrated a system to enhance their impact. By exploiting these weaknesses, an attacker could eliminate arbitrary files on the host system.
This could result in considerable stability or functionality issues with the operating system, other installed applications, or even the CrowdStrike Falcon sensor itself, potentially disrupting security oversight.
It is essential to emphasize that these are not remote code execution vulnerabilities and cannot be employed for initial access.
The vulnerabilities affect the CrowdStrike Falcon sensor for Windows versions 7.28 and earlier. Specifically, this impacts builds up to 7.28.20006, 7.27.19907, 7.26.19811, 7.25.19706, and 7.24.19607.
For clients operating older Windows 7 or Windows Server 2008 R2 systems, sensor version 7.16.18635 and earlier are also at risk. These issues do not affect the Falcon sensors for macOS and Linux.
CrowdStrike has provided fixes across multiple sensor versions to resolve the vulnerabilities. The issues have been rectified in the latest Falcon sensor for Windows, version 7.29.
In addition, emergency patches have been issued for versions 7.28 (7.28.20008), 7.27 (7.27.19909), 7.26 (7.26.19813), 7.25 (7.25.19707), and 7.24 (7.24.19608).
A specific emergency patch, 7.16.18637, is accessible for the affected Windows 7 and 2008 R2 systems. Clients are strongly urged to upgrade all Windows hosts running vulnerable sensor versions to a patched version.
| Affected Version | Patched Version |
|---|---|
| 7.28.20006 | 7.28.20008 and later |
| 7.27.19907 | 7.27.19909 |
| 7.26.19811 & 7.26.19809 | 7.26.19813 |
| 7.25.19706 | 7.25.19707 |
| 7.24.19607 and earlier | 7.24.19608 |
| 7.16.18635 and earlier (WIN7/2008 R2 only) | 7.16.18637 (WIN7/2008 R2 only) |
The security concerns were recognized internally by CrowdStrike as part of its thorough security posture management and through its long-standing bug bounty initiative, which motivates security researchers to discover and report vulnerabilities.
In its advisory, the organization affirmed that its threat hunting and intelligence teams are actively surveilling for any attempts to exploit these vulnerabilities.
To date, no such activities have been observed. The simultaneous release of the vulnerability details along with the corresponding patches ensures that defenders possess the essential tools to remediate the issues before they can be extensively exploited by threat actors.
CrowdStrike has also supplied clients with a query they can utilize to detect impacted hosts within their environment, expediting a more rapid and targeted remediation process.
“`