CrowdStrike has fixed two medium-severity security flaws in its Falcon sensor for Windows that could allow attackers to delete critical files once they gain initial access.
Quick Summary – TLDR:
- CrowdStrike patched two vulnerabilities (CVE-2025-42701 and CVE-2025-42706) in its Falcon Windows sensor
- Attackers could exploit them to delete files if they already had code execution on the system
- Mac, Linux, and legacy systems are unaffected by these bugs
- No signs of exploitation in the wild, but updates are strongly recommended
What Happened?
CrowdStrike disclosed two medium-risk security vulnerabilities in its Falcon sensor for Windows, identified as CVE-2025-42701 and CVE-2025-42706. Although attackers must already have code execution on the device to exploit them, the flaws could still allow deletion of arbitrary files, leading to system instability or security blind spots.
⚠️ CrowdStrike Falcon Windows Sensor Vulnerability Enables Code Execution and File Deletion
— Cyber Security News (@The_Cyber_News) October 9, 2025
Read more: https://t.co/KuzuPYlDxv
CrowdStrike has disclosed and released patches for two medium-severity vulnerabilities in its Falcon sensor for Windows that could allow an attacker… pic.twitter.com/Sb99OIh7WU
Two Bugs, One Big Risk
These vulnerabilities stem from different technical issues:
- CVE-2025-42701 is a Time-of-check Time-of-use (TOCTOU) race condition, which can be triggered under specific conditions after attackers gain local code execution. It has a CVSS score of 5.6.
- CVE-2025-42706 arises from a logic error in origin validation and carries a slightly higher CVSS score of 6.5.
While neither bug enables initial system access or remote code execution, they can be exploited by an attacker who has already compromised the system to delete arbitrary files. This may disrupt not only the Falcon sensor itself but also critical software or OS components.
Affected and Patched Versions
The flaws impact only Windows-based Falcon sensors. Systems running macOS, Linux, or legacy platforms are unaffected.
CrowdStrike released comprehensive patches in:
- Falcon sensor version 7.29 (latest release)
- Hotfixes for versions 7.24 through 7.28
- Special patch 7.16.18637 for Windows 7 and 2008 R2 systems
Impacted Builds:
- 7.28.20006 and earlier
- 7.27.19907
- 7.26.19811
- 7.25.19706
- 7.24.19607 and earlier
- 7.16.18635 and earlier (Windows 7/2008 R2)
Patched Versions:
- 7.28.20008 and later
- 7.27.19909
- 7.26.19813
- 7.25.19707
- 7.24.19608
- 7.16.18637
CrowdStrike also issued a GitHub query to help customers identify systems running vulnerable versions.
Behind the Discovery
Both bugs were found internally by CrowdStrike’s security team through its bug bounty program. This shows the company’s effort in proactively checking its software for weak spots.
Even though the flaws were serious enough to draw attention, CrowdStrike referred to them as “issues” rather than “vulnerabilities” in its advisory. This phrasing sparked backlash from security researchers, including Kevin Beaumont, who argued that it downplays the risks. He said:
No Signs of Attacks Yet
So far, CrowdStrike confirms no known cases of active exploitation. Their threat hunting and intelligence teams are continuously monitoring for suspicious activity. They also claim the patches have no performance impact on Falcon sensors.
What Should Customers Do?
CrowdStrike strongly advises all Windows customers to update to a patched version immediately. Timely patching will ensure continued system stability and prevent potential file deletion attacks that could compromise security posture.
SQ Magazine Takeaway
Honestly, while these bugs aren’t catastrophic on their own, the fact that they could allow file deletion after a system is breached makes them worth acting on fast. I get why people are annoyed with CrowdStrike’s language here. Calling these “issues” instead of “vulnerabilities” makes it sound less serious, but it clearly is. If your systems run Falcon on Windows, updating isn’t optional. It’s essential.
