50% off Falcon Go, Pro, or Enterprise — for a limited time only Claim my deal
Security Advisories

Issues Affecting CrowdStrike Falcon Sensor for Windows

Summary



We have released fixes for two issues affecting the Falcon sensor for Windows. Both of these issues require an adversary to have previously established the ability to execute code on the host, and could allow them to delete arbitrary files. The fixes for both issues are in the latest Falcon sensor for Windows version 7.29, in hotfix releases for versions 7.24 through 7.28, and in a 7.16 hotfix for hosts running Windows 7/2008 R2. The version 7.24 hotfix will also be an update for the current Long-Term Visibility (LTV) Sensor for Windows IoT.
 

There is no indication of exploitation of these issues in the wild. Our threat hunting and intelligence teams are actively monitoring for exploitation and we maintain visibility into any such attempts.
 

We are disclosing these issues and fixes concurrently, in line with industry best practices for coordinated vulnerability disclosure to ensure our customers remain protected.

Impact



Exploiting these issues to delete files could potentially lead to stability or functionality issues with the CrowdStrike Falcon Windows sensor, or other software on the system including the operating system.
 

The Falcon sensor for Mac, the Falcon sensor for Linux and the Falcon sensor for Legacy Windows Systems are not impacted.

Technical Overview



A logic error exists in the Falcon sensor for Windows that could allow an attacker, with the prior ability to execute code on a host, to delete arbitrary files. CrowdStrike released a security fix for this issue in Falcon sensor for Windows versions 7.24 and above and all Long Term Visibility (LTV) sensors. These issues were identified through our longstanding Bug Bounty program and as part of our comprehensive security posture.

Affected Versions



Falcon sensor for Windows versions 7.28 and earlier are affected.
Affected Falcon sensor for Windows versions

7.28.20006

7.27.19907

7.26.19811

7.26.19809

7.25.19706

7.24.19607 and earlier

7.16.18635 and earlier 7.16 builds (WIN7/2008 R2 only)

Patched Falcon sensor for Windows versions

7.28.20008 and later

7.27.19909

7.26.19813

7.25.19707

7.24.19608

7.16.18637 (WIN7/2008 R2 only)

Severity


CrowdStrike has scored CVE-2025-42701, the Falcon Sensor for Windows Race Condition, a 5.6 (MEDIUM) per the Common Vulnerability Scoring System Version 3.1 (CVSS).

 

CrowdStrike has scored CVE-2025-42706, the Falcon Sensor for Windows Logic Error, a 6.5 (MEDIUM) per the Common Vulnerability Scoring System Version 3.1 (CVSS).

Weakness Type and Impact

 

  • CVE-2025-42701 - CrowdStrike Falcon Sensor for Windows Race Condition

    • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

    • CAPEC-27: Leveraging Race Conditions via Symbolic Links

  • CVE-2025-42706 - CrowdStrike Falcon Sensor for Windows Logic Error

    • CWE-346: Origin Validation Error

    • CAPEC-473: Signature Spoof

Exploitation status



CrowdStrike has no indication of any exploitation of these issues in the wild.

 

CrowdStrike is actively monitoring for signs of abuse or usage of this flaw.

Performance impact



No direct or indirect impact to sensor performance is expected, nor was any seen in our testing.

Identify Impacted Hosts


Customers can use the query on GitHub.

Remediation


Customers should upgrade Windows hosts running impacted sensor versions to a fixed version.

Additional Questions


If you have additional questions, please reach out to your Technical Account Manager, Sales Engineer, Account Manager, or CrowdStrike Support.