CrowdStrike Falcon Windows Sensor fixes CVE-2025-42701 and CVE-2025-42706

CrowdStrike has published fixes for two medium‑severity vulnerabilities in the Falcon Windows Sensor that could allow an attacker who already has local code execution to delete arbitrary files on Windows hosts — the issues are tracked as CVE‑2025‑42701 (a TOCTOU race condition) and CVE‑2025‑42706 (a logic/origin‑validation bug).

Overview​

These two flaws affect the Falcon sensor for Windows and were responsibly reported through CrowdStrike’s bug bounty program. Both vulnerabilities are classified as Medium under CVSS 3.1: CVE‑2025‑42701 is scored 5.6 and CVE‑2025‑42706 is scored 6.5. In every public advisory and aggregated CVE feed the attack vector is listed as local — an attacker must already be able to execute code on the host before these issues become useful for further impact. CrowdStrike has released fixes and hotfixes for multiple sensor branches; affected customers are strongly advised to update to a patched sensor build as soon as possible.

---

Background and context​

Why this matters for Windows endpoints​

Endpoint sensors like CrowdStrike Falcon operate with privileged access by design to provide deep process, file, kernel and network visibility. That access delivers security value — but it also raises the blast radius for implementation bugs. A defective path in a sensor that runs as a privileged service or driver can be used by an attacker who already has a foothold to inflict additional damage or to impede detection. CrowdStrike’s own operational history — including the high‑profile July 2024 content‑update incident that caused wide‑scale instability on some Windows fleets — makes any new Falcon sensor vulnerability particularly salient for enterprise risk teams.

The two CVEs at a glance​

• CVE‑2025‑42701 — TOCTOU (Time‑of‑check / Time‑of‑use) race condition (CWE‑367). A timing/synchronization weakness that an attacker could exploit to cause deletion of arbitrary files under certain conditions. Rated CVSS 3.1 = 5.6 (Medium).
• CVE‑2025‑42706 — Logic bug / origin validation (CWE‑346). A validation error that can be abused, again only after code execution on the host, to delete arbitrary files. Rated CVSS 3.1 = 6.5 (Medium).

Both issues are explicitly not remote code execution vulnerabilities and cannot by themselves provide initial access. Instead, they materially increase the impact an already‑present attacker can achieve on a compromised host — for example by removing forensic evidence, sabotaging critical data, or destabilizing the host and other security tooling. Public CVE feeds and the vendor responses note there is no current evidence of exploitation in the wild, but monitoring is ongoing.

---

Affected products and patched builds​

Versions named in public feeds​

Aggregated CVE trackers indicate the issues affect Falcon Windows Sensor builds up to specific pre‑hotfix numbers. The fixed threshold across the affected branches is represented in the feeds as builds at or above:

• 7.29 (latest full release), and hotfixed builds for previous branches, e.g.:
• 7.28 — fixed at or after 7.28.20008
• 7.27 — fixed at or after 7.27.19909
• 7.26 — fixed at or after 7.26.19813
• 7.25 — fixed at or after 7.25.19707
• 7.24 — fixed at or after 7.24.19608
• For older Windows 7 / Windows Server 2008 R2 hosts there’s a dedicated hotfix (for example 7.16.18637 was called out as the corrected build for legacy OS support by some trackers).

These build identifiers are important because many enterprises pin sensor updates to a specific update policy (N, N‑1, N‑2) or block automated updates. Administrators must verify the currently installed sensor builds in their fleet and ensure updates or hotfixes propagate to all Windows hosts that run the affected sensors.

---

Technical analysis — how the vulnerabilities work​

TOCTOU race conditions (CVE‑2025‑42701)​

A TOCTOU issue arises when code checks a condition (time‑of‑check) and later acts based on that check (time‑of‑use) without locking or otherwise guaranteeing the condition remains true. In kernel or privileged services, an attacker who can race the check and use windows can cause the software to operate on unexpected or attacker‑controlled objects. In this case, the race allows deletion of arbitrary files when the attacker times operations to exploit a window in the sensor’s file‑handling code path. TOCTOU weaknesses are notoriously tricky to reproduce reliably but can be exploited by a local actor who controls timing and filesystem operations. Public CVE summaries classify this as CWE‑367.

Origin/logic validation bug (CVE‑2025‑42706)​

Logic or origin validation bugs (CWE‑346) occur when code trusts the origin of input or fails to validate the provenance of a request or file. In privileged services that accept directives or content updates, improperly validated input can be misinterpreted as trusted data. In this situation the logic bug permits abuse by a local actor to cause the sensor to delete files it should not. Aggregators indicate the root cause is validation/logic, not an unauthenticated remote API.

Practical exploitation conditions​

• An attacker needs an existing capability to execute code on the host (local code execution). These flaws are post‑compromise issues: they elevate the damage an attacker can do after gaining a foothold, rather than providing that initial foothold.
• Exploitation can have operational side effects beyond file deletion — for example, deleting files used by the OS or other software could create instability or inhibit monitoring, potentially hindering incident response. Public advisories explicitly warn these bugs could impact stability or functionality of the OS or the Falcon software itself.

---

What CrowdStrike and trackers say (verification)​

Multiple independent CVE aggregators and security feeds publish matching summaries (CVE descriptions, CVSS values, affected‑build thresholds and mitigation recommendations). The NVD entry for CVE‑2025‑42701 is present and awaiting full enrichment, while other trackers list the complete CVSS and affected build numbers. CrowdStrike’s public communications reiterate the discovery via its bug bounty program and the release of hotfix builds for affected sensor branches. The vendor’s prior transparency efforts — including the published post‑incident analysis for the July 2024 content update event — provide useful context for how the company handles sensor stability and rapid mitigation. These cross‑references were used to confirm the facts reported in public advisories.
Flag: where precise timelines or internal telemetries are reported only by one party (for example exact counts of endpoints that failed during previous incidents), treat those numbers as vendor‑provided and conditional on later verification. The CVE feeds and NVD notes are consistent on the technical classification and the presence of hotfix builds.

---

Operational impact and risk assessment​

Immediate risks​

• Post‑compromise amplification — an attacker who already has code execution can use these flaws to delete logs, detection artifacts or system files, making forensic triage harder and potentially helping persistence or cleanup.
• Stability and availability — file deletion of critical components or race‑condition side effects could crash processes, degrade services or destabilize endpoints and monitoring. Public advisories warn these vulnerabilities could affect system stability and Falcon’s ability to monitor or protect a host.

What these flaws are not​

• They are not remote code execution vectors and cannot be used by a remote unauthenticated attacker to gain initial access. The attack requires local code execution first, which constrains the attack surface to scenarios where an attacker already controls or can run code on the machine. That limits, but does not eliminate, the operational severity — especially in high‑value or shared environments (file servers, jump boxes, Cloud PCs).

Where the real risk accumulates​

Risks escalate in environments that combine:

• Widely‑deployed sensor fleets with centralized auto‑update or rapid mass rollouts, and
• High exposure services (RDP‑exposed hosts, multitenant VMs, Windows Cloud PCs) where initial code execution is more likely to appear from either external exploit chains or insider threats.

Enterprises that rely on a single vendor for endpoint protection should also consider the operational coupling risk: a single flawed update or an exploited post‑compromise bug may have broad operational impact across many critical systems. Historical incidents involving Falcon sensor content updates illustrate real world consequences when privileged agent behavior interacts unexpectedly with OS internals.

---

Clear, practical guidance for administrators​

The following steps are prioritized and practical for IT and security teams managing Windows endpoints with Falcon deployed.

• Inventory sensor versions: query the Falcon console and endpoint inventories to identify all Windows hosts running affected sensor builds (7.24–7.28 range, older 7.16 for legacy OSes). Verify actual build numbers against the hotfix thresholds.
• Apply the hotfixes or update to 7.29 (or the hotfixed builds in your supported branch) as soon as testing windows allow. If auto‑update is enabled and set to a policy that will receive hotfixes, confirm the policy propagated successfully.
• For pinned update policies (N, N‑1), plan forced or staged deployments to reach 100% coverage quickly — don’t rely on a slow, uncontrolled stagger. Use canaries and validate in the staging ring before a full push.
• Monitor Falcon alerts and quarantined file ledgers for indicators of local exploitation — the vendor notes exploit attempts would surface in the endpoint UI and audit logs. Hunt for suspicious local process launches, unexpected deletes of log or telemetry files, and unusual MSI or installer activity.
• If immediate patching isn’t possible, harden hosts against initial code execution: limit exposed management interfaces (RDP), enforce least privilege, apply application allowlists, and elevate monitoring on internet‑facing or high‑value devices.

Recommended forensic checks (short list):

• Search for unusual file deletion patterns or missing log segments.
• Review recent process creation events around sensitive services.
• Scan for suspicious child processes spawned by system‑level services.
• Verify the integrity of sensor files and compare with expected checksums where supported.

---

Detection and hunting: useful starting queries​

• Look for local process creations that executed code in user folders followed by deletions in system or log directories.
• Search Falcon (or SIEM) logs for quarantined items and correlate timestamps with any unexpected service restarts or kernel exceptions.
• Monitor for MSIInstaller activity launched outside maintenance windows — many sensor updates use MSI semantics and an attacker might mimic the same process chain.

---

Why vendors’ update discipline and deployment mechanics matter​

The past year’s incidents underscore that even small content updates — templates, configuration packages, detection content — can interact with privileged components in unexpected ways. The operational model for endpoint protection (fast content updates, cloud‑driven rules, privileged local agents) delivers security efficacy but depends on rigorous validation, staged rollouts and robust rollback tools. CrowdStrike’s public remediation work and the company’s bug bounty disclosures show a mature vulnerability program, but they also highlight the need for customers to treat agent updates as operational events: test, stage, monitor, and have playbooks ready.

---

Strengths and mitigations built into modern endpoint platforms​

• Modern EDR/XDR platforms provide immediate detection telemetry and quarantine mechanisms that can help contain an exploited post‑compromise path. CrowdStrike’s telemetry signals and quarantined file ledger were specifically referenced as ways customers would detect manifestations of these CVEs. That capability reduces the chance that an attacker could silently delete critical telemetry without triggering alerts.
• Bug bounty programs and rapid disclosure pipelines accelerate the time between discovery and patching; these CVEs were disclosed via HackerOne and remediated with hotfixes — a positive indicator of vulnerability lifecycle management.

---

Risks and open questions to watch​

• One remaining operational risk is partial update coverage. Several community reports indicate some environments observed hung or partially unresponsive endpoints until a forced reboot allowed the hotfix to apply. Customers should validate that updates applied successfully across cloud‑hosted and on‑prem hosts and be prepared for outliers (e.g., cloud‑based Cloud PCs, VDI images, or devices that are offline during rollouts).
• Public feeds state “no evidence of in‑the‑wild exploitation” at the time of disclosure; while reassuring, this is a time‑sensitive statement. Monitoring for suspicious artifacts and reviewing endpoint telemetry remains essential — the absence of evidence is not proof of absence. Flag: treat “no evidence” as temporary and continue logging and hunting.

---

Conclusion — practical takeaway for Windows administrators​

The dual disclosures CVE‑2025‑42701 and CVE‑2025‑42706 are important operational‑security reminders: privileged endpoint agents are powerful defenders and — when imperfect — can also amplify damage in post‑compromise scenarios. These two vulnerabilities do not enable remote takeover but do allow an attacker who already controls a host to delete files and potentially disrupt security monitoring and system stability. Enterprises should act now: inventory affected builds, deploy the hotfixes or upgrade to the patched sensor release, and beef up detection for suspicious local activity while the rollout completes. Maintain staged update discipline, verify successful application of hotfix builds on cloud and on‑prem hosts, and keep hunting for any signs of post‑compromise activity. Aggregated CVE trackers and vendor notices confirm the technical details and hotfix availability; treat those advisories as the operational baseline for patch planning.

---

Quick checklist (actionable)​

• Verify current Falcon Windows Sensor builds across the estate.
• Update to a patched build (7.29 or the hotfixed builds in your branch) or apply vendor hotfixes immediately.
• Confirm update success on cloud‑hosted and offline hosts; reboot if necessary to let installers complete.
• Hunt for suspicious local code execution, file deletions, or gaps in telemetry.
• If exposure is suspected, escalate to forensic triage and coordinate with incident response; open a vendor support case for targeted assistance.

These steps will materially reduce operational risk and preserve detection integrity while the hotfix rollout completes.

---

Source: Red Hot Cyber CrowdStrike risolve due bug su Falcon Windows Sensor per Windows