CrowdStrike has disclosed two medium-severity vulnerabilities in its Falcon sensor for Windows that could allow attackers, who already have code execution capabilities on a system, to delete arbitrary files. These flaws have been patched in the latest sensor versions, and no evidence of active exploitation has been found so far.
Details of the Vulnerabilities
The vulnerabilities are identified as CVE-2025-42701 and CVE-2025-42706. Both originate from different weaknesses in the Falcon sensor software:
- CVE-2025-42701: A Time-of-check Time-of-use (TOCTOU) race condition, classified under CWE-367, with a CVSS 3.1 score of 5.6 (Medium).
- CVE-2025-42706: A logic error related to origin validation (CWE-346), with a CVSS 3.1 score of 6.5 (Medium).
Exploiting these vulnerabilities could allow attackers to delete files on affected Windows systems, potentially causing system instability, disrupting installed applications, or interfering with the Falcon sensor itself. It is important to note that these issues do not provide initial access and are not remote code execution flaws.
Affected Systems
Windows versions impacted include Falcon sensor 7.28 and earlier, specifically builds: 7.28.20006, 7.27.19907, 7.26.19811, 7.25.19706, and 7.24.19607. Older Windows 7 and Windows Server 2008 R2 systems running sensor 7.16.18635 and earlier are also affected. MacOS and Linux sensors remain unaffected.
Patched Versions and Hotfixes
CrowdStrike has released updates and hotfixes to mitigate these vulnerabilities:
| Affected Version | Patched Version |
| 7.28.20006 | 7.28.20008 and later |
| 7.27.19907 | 7.27.19909 |
| 7.26.19811 & 7.26.19809 | 7.26.19813 |
| 7.25.19706 | 7.25.19707 |
| 7.24.19607 and earlier | 7.24.19608 |
| 7.16.18635 and earlier (WIN7/2008 R2 only) | 7.16.18637 (WIN7/2008 R2 only) |
Customers are strongly encouraged to update all affected Windows systems to these patched versions immediately.
Security Monitoring and Detection
The vulnerabilities were discovered internally by CrowdStrike during security posture assessments and through its bug bounty program, which incentivizes researchers to report flaws. The company’s threat hunting and intelligence teams continue monitoring for exploitation attempts, and no incidents have been observed. Additionally, CrowdStrike provides a query for customers to identify impacted hosts, enabling faster remediation.
