CrowdStrike Falcon Vulnerability Allows Attackers to Execution Code and Delete Files

The vulnerabilities, designated as CVE-2025-42701 and CVE-2025-42706, both require attackers to have previously established code execution capabilities on the target system.

CVE-2025-42701 represents a Time-of-check Time-of-use (TOCTOU) race condition vulnerability with a CVSS score of 5.6, whereas CVE-2025-42706 involves a logic error related to origin validation, carrying a higher CVSS score of 6.5.

Both flaws could allow malicious actors to delete arbitrary files on affected Windows systems, potentially causing stability issues with the Falcon sensor or other critical software components, including the operating system itself.

The race condition vulnerability stems from a TOCTOU issue classified under CWE-367, while the logic error relates to origin validation problems categorized as CWE-346.

CrowdStrike discovered these vulnerabilities through its established Bug Bounty program as part of comprehensive security assessments.

The company emphasizes that only Windows-based Falcon sensors are affected, with Mac, Linux, and Legacy Windows Systems remaining unimpacted by these security flaws.

CVE ID	Affected Product	Vulnerability Type	CVSS 3.1 Score	Impact	Exploit Prerequisites
CVE-2025-42701	CrowdStrike Falcon Sensor for Windows	Race Condition (TOCTOU – CWE-367)	5.6 (Medium)	Arbitrary file deletion with prior code execution	Previously established code execution capabilities
CVE-2025-42706	CrowdStrike Falcon Sensor for Windows	Logic Error (Origin Validation – CWE-346)	6.5 (Medium)	Arbitrary file deletion with prior code execution	Previously established code execution capabilities

Comprehensive Patches Released Across Multiple Versions

CrowdStrike implemented fixes across multiple sensor versions to ensure comprehensive coverage.

The patches are available in Falcon sensor version 7.29, as well as hotfix releases for versions 7.24 through 7.28, and a specialized hotfix for 7.16, specifically for Windows 7 and 2008 R2 systems.

Affected versions include 7.28.20006, 7.27.19907, 7.26.19811, 7.25.19706, 7.24.19607 and earlier builds, plus 7.16.18635 and earlier 7.16 builds for Windows 7 and 2008 R2 environments.

The corresponding patched versions include 7.28.20008 and later, 7.27.19909, 7.26.19813, 7.25.19707, 7.24.19608, and 7.16.18637 for legacy Windows systems.

The version 7.24 hotfix also serves as an update for the current Long-Term Visibility sensor for Windows IoT deployments.

CrowdStrike provides a GitHub query to help customers identify potentially impacted hosts within their environments.

CrowdStrike reports no evidence of active exploitation of these vulnerabilities in production environments.

The company’s threat hunting and intelligence teams maintain continuous monitoring for potential abuse attempts and have established visibility mechanisms to detect exploitation efforts.

This proactive disclosure follows industry best practices for coordinated vulnerability disclosure, ensuring customers receive timely protection guidance.

The company confirms that no performance impact is expected from the security updates, with testing revealing no direct or indirect effects on sensor functionality.

CrowdStrike strongly recommends that customers upgrade Windows hosts running affected sensor versions to the latest patched releases to maintain an optimal security posture and prevent potential file deletion attacks.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today

The post CrowdStrike Falcon Vulnerability Allows Attackers to Execution Code and Delete Files appeared first on Cyber Security News.