Summary :  CrowdStrike recently disclosed and released patches for two medium-severity vulnerabilities affecting its Falcon sensor for Windows systems, identified as CVE-2025-42701 and CVE-2025-42706. These vulnerabilities allow attackers who already have code execution privileges on a targeted Windows host to delete arbitrary files, potentially destabilizing the Falcon sensor, other installed software, or even the operating system itself.

OEM	CrowdStrike
Severity	Medium
CVSS Score	6.5
CVEs	CVE-2025-42701, CVE-2025-42706
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

Notably, Falcon sensors for macOS and Linux are not affected, Users & Administrator using falcon sensor for windows update to the latest version. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability	CVE-2025-42701	CrowdStrike Falcon Sensor for Windows	Medium	7.28.20008 and later 7.27.19909 7.26.19813 7.25.19707 7.24.19608 7.16.18637 (WIN7/2008 R2 only)
Origin Validation Logic Error Vulnerability	CVE-2025-42706	CrowdStrike Falcon Sensor for Windows	Medium

Technical Summary 

The Falcon Sensor for Windows was found to contain security flaws that could permit a locally authenticated attacker with existing code execution privileges to delete arbitrary files on the affected system.

Race condition vulnerability caused by improper synchronization in the software’s operation timing, while the other vulnerability results from a logical error affecting file handling processes.

These issues could lead to significant disruption of security functions or system stability. Prompt remediation has been issued by CrowdStrike and there is currently no evidence of exploitation in active environments.  

CVE ID	Platform Affected	Vulnerability Details	Impact
CVE-2025-42701	CrowdStrike Falcon Sensor for latest Windows, Windows 7, Windows Server 2008	Time-of-check Time-of-use (TOCTOU) race condition due to a timing gap in handling file operations, which allows an attacker with prior local code execution to delete arbitrary files on the host system.	Sensor disruption and file deletion.
CVE-2025-42706	CrowdStrike Falcon Sensor for latest Windows, Windows 7, Windows Server 2008	A logic error related to origin validation in the Falcon sensor’s file handling, enabling an attacker with existing code execution abilities to delete arbitrary files.	Sensor disruption and file deletion.

Recommendations 

Update CrowdStrike Falcon Sensor for Windows to the following patched versions or latest one  

• 7.28.20008, 7.27.19909, 7.26.19813, 7.25.19707, 7.24.19608,  

• 7.16.18637 (for Windows 7/2008 R2 only) 

Implement the following best practices to enhance overall security posture 

• Regularly monitor and apply security updates and patches promptly to all endpoint protection software. 

• Enforce the principle of least privilege by restricting user permissions and execution rights to minimize the risk from locally executed code. 

• Enable logging and continuous monitoring within the Falcon platform to detect any suspicious activities related to file deletions or sensor tampering. 

Conclusion: 
CrowdStrike identified and promptly addressed two vulnerabilities in widely used falcon endpoint protection sensor for Windows. These issues, if left unpatched, could allow an attacker with existing local access to disrupt system stability by deleting critical files.

There is no active exploitation has been detected & CrowdStrike already released the patches. Users are strongly encouraged to apply the latest patches and follow best security practices to maintain system integrity and resilience against potential threats. 

References: 

• https://www.crowdstrike.com/en-us/security-advisories/issues-affecting-crowdstrike-falcon-sensor-for-windows/ 

• https://cybersecuritynews.com/crowdstrike-falcon-windows-sensor-vulnerability/