CrowdStrike recently dropped a bombshell: two vulnerabilities in its Windows Falcon sensor that let attackers delete arbitrary files, assuming they already have code-execution access. That’s right, even top-tier endpoint security tools are not immune.
These issues, tracked as CVE-2025-42701 (a TOCTOU race condition) and CVE-2025-42706 (a logic error in origin validation), are rated “medium” in severity (scores 5.6 and 6.5, respectively).
While CrowdStrike says there’s no evidence of exploitation in the wild… that’s cold comfort if you’re sitting on an unpatched system.
What’s Going On Behind the Scenes
- Who’s affected? Windows hosts with Falcon sensor versions 7.28 and earlier, including builds like 7.27, 7.26, 7.25, 7.24. Older Windows 7 / Server 2008 R2 systems (with sensors ≤ 7.16.18635) are also vulnerable.
- What can an attacker do? Once they’ve already managed to run code on your machine (via other vulnerabilities or lateral movement), they can exploit these flaws to delete files, potentially knocking offline critical software or the sensor itself.
- What you cannot do with these flaws: Use them as an initial entry path. They don’t allow remote code execution on a clean, un-compromised system.
- Fixes are available now. CrowdStrike has released updated sensor versions (7.29) and hotfixes for affected earlier builds.
Why This Matters (Even If You Trust Falcon)
- It’s a reminder that no single tool is bulletproof Security is layered. Even your defenses can become attack vectors.
- Disruption = risk If a sensor or associated software is broken, your visibility, alerts, and response capabilities could suffer, exactly when you need them.
- Attackers often chain flaws These vulnerabilities might be part of a larger exploit path, used in combination with other weaknesses to escalate attacks.
Your Action Plan (Start Now)
Here’s how to get ahead of this:
| Task | Why | Tips |
| Patch immediately | CrowdStrike has pushed fixes and hotfixes. | Start with test environments, then rollout broadly. |
| Run CrowdStrike’s Detection Query | Find hosts with vulnerable sensor versions. | Use the query that CrowdStrike provided. |
| Audit recent changes/deletions | Look for signs of file tampering | Focus on suspicious activity around system or security tools. |
| Segment critical systems | Reduce damage if a breach happens | Limit lateral movement in your network. |
| Monitor Falcon health | Ensure sensors are running properly | Gaps in coverage = exploitable blind spots. |
| Schedule a full incident review | Don’t just patch, understand how an attacker might have arrived | Reassess defenses holistically. |
Final Thoughts
This isn’t your average medium-severity vulnerability. It’s a powerful example of how trusted tools themselves can turn into attack surfaces, especially once an intruder has any foothold.
If your organization relies on CrowdStrike Falcon, this is a moment to act fast: patch, monitor, and harden surrounding systems. The window of exposure may be narrow, but the potential fallout is anything but small.