CrowdStrike has disclosed and released patches for two medium-severity vulnerabilities in its Falcon sensor for Windows that could allow an attacker to delete arbitrary files.
The security vulnerabilities, designated as CVE-2025-42701 and CVE-2025-42706, require an attacker to have already gained the ability to execute code on a target system.
The company has stated that there is no evidence of these vulnerabilities being exploited in the wild and that fixes are available for all affected customers.
CrowdStrike Falcon Windows Sensor Vulnerability
The two vulnerabilities originate from different types of weaknesses within the Falcon sensor software.
The first, CVE-2025-42701, is a Time-of-check Time-of-use (TOCTOU) race condition, categorized under CWE-367. This flaw has been assigned a CVSS 3.1 score of 5.6 (Medium).
The second, CVE-2025-42706, is a logic error related to origin validation (CWE-346) and has a slightly higher CVSS 3.1 score of 6.5 (Medium).
Both vulnerabilities provide a pathway for a threat actor who has already compromised a system to escalate their impact. By exploiting these issues, an attacker could delete arbitrary files on the host system.
This could lead to significant stability or functionality problems with the operating system, other installed software, or even the CrowdStrike Falcon sensor itself, potentially disrupting security monitoring.
It is important to note that these are not remote code execution vulnerabilities and cannot be used for initial access.
The vulnerabilities impact the CrowdStrike Falcon sensor for Windows versions 7.28 and earlier. Specifically, this includes builds up to 7.28.20006, 7.27.19907, 7.26.19811, 7.25.19706, and 7.24.19607.
For customers running older Windows 7 or Windows Server 2008 R2 systems, sensor version 7.16.18635 and earlier are also affected. These issues do not impact the Falcon sensors for macOS and Linux.
CrowdStrike has released fixes across multiple sensor versions to address the flaws. The issues are resolved in the latest Falcon sensor for Windows, version 7.29.
Additionally, hotfixes have been issued for versions 7.28 (7.28.20008), 7.27 (7.27.19909), 7.26 (7.26.19813), 7.25 (7.25.19707), and 7.24 (7.24.19608).
A specific hotfix, 7.16.18637, is available for the affected Windows 7 and 2008 R2 systems. Customers are strongly advised to upgrade all Windows hosts running impacted sensor versions to a patched release.
| Affected Version | Patched Version |
|---|---|
| 7.28.20006 | 7.28.20008 and later |
| 7.27.19907 | 7.27.19909 |
| 7.26.19811 & 7.26.19809 | 7.26.19813 |
| 7.25.19706 | 7.25.19707 |
| 7.24.19607 and earlier | 7.24.19608 |
| 7.16.18635 and earlier (WIN7/2008 R2 only) | 7.16.18637 (WIN7/2008 R2 only) |
The security issues were identified internally by CrowdStrike as part of its comprehensive security posture management and through its longstanding bug bounty program, which encourages security researchers to find and report vulnerabilities.
In its advisory, the company confirmed that its threat hunting and intelligence teams are actively monitoring for any attempts to exploit these vulnerabilities.
To date, no such activity has been detected. The concurrent release of the vulnerability details and the corresponding patches ensures that defenders have the necessary tools to remediate the issue before it can be widely abused by threat actors.
CrowdStrike has also provided customers with a query they can use to identify impacted hosts within their environment, facilitating a more rapid and targeted remediation process.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
