CrowdStrike has disclosed two critical vulnerabilities affecting its Falcon sensor for Windows that could enable attackers to delete arbitrary files and potentially compromise system stability.
The cybersecurity company released patches for both security flaws in its latest sensor version 7.29, along with hotfixes for earlier versions.
Security Vulnerabilities Enable File Deletion Attacks
The vulnerabilities, identified as CVE-2025-42701 and CVE-2025-42706, both require attackers to have previously established code execution capabilities on the target system.
CVE-2025-42701 represents a race condition vulnerability with a CVSS score of 5.6, while CVE-2025-42706 involves a logic error with a higher CVSS score of 6.5.
Both flaws could allow malicious actors to delete arbitrary files on affected Windows systems, potentially causing stability issues with the Falcon sensor or other critical software components including the operating system itself.
The race condition vulnerability stems from a Time-of-check Time-of-use (TOCTOU) issue classified under CWE-367, while the logic error relates to origin validation problems categorized as CWE-346.
CrowdStrike discovered these vulnerabilities through its established Bug Bounty program as part of comprehensive security assessments.
The company emphasizes that only Windows-based Falcon sensors are affected, with Mac, Linux, and Legacy Windows Systems remaining unimpacted by these security flaws.
| CVE ID | Vulnerability Type | CVSS Score | Impact |
| CVE-2025-42701 | CrowdStrike Falcon Sensor for Windows Race Condition | 5.6 (MEDIUM) | File deletion capability with prior code execution |
| CVE-2025-42706 | CrowdStrike Falcon Sensor for Windows Logic Error | 6.5 (MEDIUM) | File deletion capability with prior code execution |
CrowdStrike implemented fixes across multiple sensor versions to ensure comprehensive coverage.
The patches are available in Falcon sensor version 7.29, hotfix releases for versions 7.24 through 7.28, and a specialized 7.16 hotfix for Windows 7 and 2008 R2 systems.
Affected versions include 7.28.20006, 7.27.19907, 7.26.19811, 7.25.19706, 7.24.19607 and earlier builds, plus 7.16.18635 and earlier 7.16 builds for Windows 7 and 2008 R2 environments.
The corresponding patched versions include 7.28.20008 and later, 7.27.19909, 7.26.19813, 7.25.19707, 7.24.19608, and 7.16.18637 for legacy Windows systems.
The version 7.24 hotfix also serves as an update for the current Long-Term Visibility sensor for Windows IoT deployments.
CrowdStrike provides a GitHub query to help customers identify potentially impacted hosts within their environments.
CrowdStrike reports no evidence of active exploitation of these vulnerabilities in production environments.
The company’s threat hunting and intelligence teams maintain continuous monitoring for potential abuse attempts and have established visibility mechanisms to detect exploitation efforts.
This proactive disclosure follows industry best practices for coordinated vulnerability disclosure, ensuring customers receive timely protection guidance.
The company confirms that no performance impact is expected from the security updates, with testing revealing no direct or indirect effects on sensor functionality.
CrowdStrike strongly recommends that customers upgrade Windows hosts running affected sensor versions to the latest patched releases to maintain optimal security posture and prevent potential file deletion attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
