CrowdStrike

Security Advisory

CrowdStrike Releases Security Updates for Falcon Sensor Windows Vulnerabilities 

Summary :  CrowdStrike recently disclosed and released patches for two medium-severity vulnerabilities affecting its Falcon sensor for Windows systems, identified as CVE-2025-42701 and CVE-2025-42706. These vulnerabilities allow attackers who already have code execution privileges on a targeted Windows host to delete arbitrary files, potentially destabilizing the Falcon sensor, other installed software, or even the operating system itself.

OEM CrowdStrike 
Severity Medium 
CVSS Score 6.5 
CVEs CVE-2025-42701, CVE-2025-42706 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Notably, Falcon sensors for macOS and Linux are not affected, Users & Administrator using falcon sensor for windows update to the latest version. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability  CVE-2025-42701 CrowdStrike Falcon Sensor for Windows  Medium 7.28.20008 and later 7.27.19909 7.26.19813 7.25.19707 7.24.19608 7.16.18637 (WIN7/2008 R2 only) 
Origin Validation Logic Error Vulnerability  CVE-2025-42706 CrowdStrike Falcon Sensor for Windows Medium 

Technical Summary 

The Falcon Sensor for Windows was found to contain security flaws that could permit a locally authenticated attacker with existing code execution privileges to delete arbitrary files on the affected system.

Race condition vulnerability caused by improper synchronization in the software’s operation timing, while the other vulnerability results from a logical error affecting file handling processes.

These issues could lead to significant disruption of security functions or system stability. Prompt remediation has been issued by CrowdStrike and there is currently no evidence of exploitation in active environments.  

CVE ID Platform Affected  Vulnerability Details Impact 
 CVE-2025-42701 CrowdStrike Falcon Sensor for latest Windows, Windows 7, Windows Server 2008 Time-of-check Time-of-use (TOCTOU) race condition due to a timing gap in handling file operations, which allows an attacker with prior local code execution to delete arbitrary files on the host system. Sensor disruption and file deletion. 
 CVE-2025-42706 CrowdStrike Falcon Sensor for latest Windows, Windows 7, Windows Server 2008 A logic error related to origin validation in the Falcon sensor’s file handling, enabling an attacker with existing code execution abilities to delete arbitrary files. Sensor disruption and file deletion. 

Recommendations 

Update CrowdStrike Falcon Sensor for Windows to the following patched versions or latest one  

  • 7.28.20008, 7.27.19909, 7.26.19813, 7.25.19707, 7.24.19608,  
  • 7.16.18637 (for Windows 7/2008 R2 only) 

Implement the following best practices to enhance overall security posture 

  • Regularly monitor and apply security updates and patches promptly to all endpoint protection software. 
  • Enforce the principle of least privilege by restricting user permissions and execution rights to minimize the risk from locally executed code. 
  • Enable logging and continuous monitoring within the Falcon platform to detect any suspicious activities related to file deletions or sensor tampering. 

Conclusion: 
CrowdStrike identified and promptly addressed two vulnerabilities in widely used falcon endpoint protection sensor for Windows. These issues, if left unpatched, could allow an attacker with existing local access to disrupt system stability by deleting critical files.

There is no active exploitation has been detected & CrowdStrike already released the patches. Users are strongly encouraged to apply the latest patches and follow best security practices to maintain system integrity and resilience against potential threats. 

References

  

Security Advisory

Elastic Releases Critical Security Updates for Kibana & Elasticsearch 

Security Advisory:

Elastic has released security updates for Kibana and Elasticsearch.

Addressed 5 vulnerabilities, including 3 high-severity Cross-Site Scripting (XSS) issues

This also include one sensitive data exposure flaw, and one credential leakage issue

OEM Elastic 
Severity High 
CVSS Score 8.7 
CVEs CVE-2025-25009, CVE-2025-25017, CVE-2025-25018, CVE-2025-37727, CVE-2025-37728 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The most severe, CVE-2025-25009 (CVSS 8.7), affects Kibana’s case file upload functionality, potentially allowing attackers to execute arbitrary scripts. These vulnerabilities could allow data theft, session hijacking or privilege escalation in affected environments. Users & Administrators strongly advise to update to the patched versions immediately to mitigate risks. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Stored XSS Vulnerability via Case File Upload Vulnerability CVE-2025-25009 Kibana  High  v8.18.8, v8.19.5, v9.0.8, v9.1.5 
Kibana Cross Site Scripting (XSS) Vulnerability CVE-2025-25017 Kibana High 
Kibana Stored Cross Site Scripting (XSS) Vulnerability CVE-2025-25018 Kibana High 

Technical Summary 

Elastic’s latest security patches fix several vulnerabilities in Kibana and Elasticsearch. These vulnerabilities could let attackers inject malicious code or gain access to sensitive information.

This could result in stolen data, taken-over user sessions, or even gaining higher access levels in the system. Although no active exploits have been reported, users are strongly advised to update immediately for protection to ensure optimal security and stability . 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-25009 Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4) Stored XSS via malicious file uploads in case management, allowing JavaScript injection Data Theft,  Session Hijacking,  Privilege Escalation 
CVE-2025-25017 Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.3, 9.0.x ≤ 9.0.6, 9.1.x ≤ 9.1.3) XSS in Vega visualization engine due to improper neutralization of inputs, enabling script execution Malicious Script Execution 
CVE-2025-25018 Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4) Stored XSS in Kibana due to improper validation of specified type of input.  Session Compromise, Unauthorized Access 

Other Vulnerabilities 

In addition to the three high-severity flaws, Elastic patched 2 other vulnerabilities in the same Security Announcements release. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Sensitive Data Exposure in Audit Logging CVE-2025- 37727 Elasticsearch Medium v8.18.8, v8.19.5, v9.0.8, v9.1.5 
Credential Leakage in CrowdStrike Connector CVE-2025- 37728 Kibana (CrowdStrike Connector) Medium v8.18.8 and higher 

Recommendations

Update Kibana and Elasticsearch immediately to the following versions 

  • Kibana/Elasticsearch: v8.18.8, v8.19.5, v9.0.8, v9.1.5 or the latest version. 

If unable to update immediately you can follow some workarounds below 

  • For the CVE-2025-25009, For versions >= 7.12 to < 9.0 users can set “discover:searchFieldsFromSource: true” in Advanced Settings and there are no workarounds for 9.0+. 
  • For the CVE-2025-25017, users can disable Vega visualizations but note that this will disable all Vega charts in Kibana. 
  • For the CVE-2025-37727, users can set “xpack.security.audit.logfile.events.emit_request_body” to “false”. 

Conclusion: 
The Elastic security update addresses severe vulnerabilities in Kibana and Elasticsearch, including high-severity XSS issues that could enable attackers to compromise dashboards, steal data, or escalate privileges.

Although no exploitation has been reported but these vulnerabilities need immediate patching. Immediate action is essential to maintain system integrity and protect sensitive data in monitoring and logging environments. 

References

Blogs Security Advisory

Shai-Hulud NPM Supply Chain Attack Expands to 470+ Packages 

Summary: A large-scale malicious campaign, nicknamed the Shai-Hulud attack, has impacted the npm ecosystem with over 500 trojanized packages, including those packages maintained by CrowdStrike. The attack originated from a sophisticated phishing campaign that exploited the fundamental trust relationships within the npm ecosystem. 

The JavaScript ecosystem is under a massive threat following a major supply chain attack. Hence, millions of crypto users and developers are now at risk. With more than a billion of these packages downloaded already, thousands of blockchain wallets and applications could be suffer varying exploits.

  • Malicious NPM updates spread malware that steals and replaces crypto addresses.
  • Developers encouraged developer to cease on-chain operation and inspect HD wallets thoroughly.

The attackers injected malicious scripts that

  • Run secret-scanning tools on developer systems, 
  • Steal GitHub, npm and cloud credentials, 
  • Insert persistent GitHub Actions workflows for long-term access, and 
  • Exfiltrate sensitive data to attacker-controlled endpoints. 

This attack is ongoing and all users of npm packages should take immediate steps to secure tokens, audit their environments and verify package integrity. 

Issue Details 

Initial discovery on September 14, 2025, when suspicious versions of @ctrl/tinycolor and ~40 other packages were flagged. By September 16, the attack had spread to include CrowdStrike-namespaced packages and dozens from @ctrl, @nativescript-community, rxnt, @operato, and others. 

Malware behavior 

  • Downloads and runs TruffleHog, a legitimate secret scanner. 
  • Harvests secrets from local machines and CI/CD agents (npm tokens, GitHub PATs, AWS/GCP cloud keys). 
  • Writes malicious workflows into .github/workflows (shai-hulud-workflow.yml). 
  • Continuously exfiltrates findings to a fixed webhook endpoint or pushes them into new GitHub repos under the victim’s account. 

Attack Flow 

Here are some popular packages with affected versions 

Package Version 
@ctrl/ngx-codemirror 7.0.1, 7.0.2 
@ctrl/tinycolor 4.1.1, 4.1.2 
@crowdstrike/foundry-js 0.19.1, 0.19.2 
@crowdstrike/logscale-dashboard 1.205.1, 1.205.2 
@nativescript-community/sqlite 3.5.2 – 3.5.5 
@nativescript-community/text 1.6.9 – 1.6.13 
@nstudio/nativescript-checkbox 2.0.6 – 2.0.9 
@nstudio/angular 20.0.4 – 20.0.6 
eslint-config-crowdstrike 11.0.2, 11.0.3 
remark-preset-lint-crowdstrike 4.0.1, 4.0.2 

Attack Indicators 

Malicious Workflow Filenames 

  • .github/workflows/shai-hulud-workflow.yml 
  • .github/workflows/shai-hulud.yaml 

Exfiltration Endpoint 

  • hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 

Hashes of Malicious Payloads 

SHA-256 Hash Notes 
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 Large batch, Sept 15–16 
b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777 CrowdStrike-related packages burst (Sept 16) 
de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6 First observed compromise (Sept 14) 
81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3 Sept 14 small burst 
83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e ~25 packages, Sept 14 
4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db Burst of ~17 packages, Sept 14–15 
dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c Multiple reuse across Sept 15–16 

Recommendations

Organizations and developers using npm should take immediate actions: 

  1. Uninstall or downgrade 
    Pin dependencies to known-safe versions until patched releases are confirmed. 
  1. Rotate credentials 
    Immediately revoke and reissue: 
  • npm access tokens 
  • GitHub personal access tokens / org tokens 
  • Cloud credentials (AWS, GCP, Azure) 
  1. Audit systems 
  • Inspect developer machines and CI/CD build agents for signs of the malicious bundle.js. 
  • Check .github/workflows for unauthorized files named “shai-hulud-*”. 
  • Review repositories for suspicious commits or new repos labeled “Shai-Hulud Migration”. 
  1. Monitor and log 
  • Search event logs for unusual npm publish activity. 
  • Investigate GitHub Actions runs designed to exfiltrate secrets. 
  1. Harden pipelines 
  • Pin package versions and use integrity checks (e.g.- lockfiles, checksums). 
  • Limit exposure of sensitive tokens in build environments. 
  • Rotate all build-related secrets regularly. 

 
Conclusion 
This incident is significant compromises in the npm ecosystem, impacting hundreds of widely used packages across various namespaces.

The attackers’ tactics such as credential theft, manipulation of GitHub workflows, and widespread package propagation, highlighting the growing sophistication of modern supply chain attacks.

Developers and organizations are strongly advised to take immediate action by removing affected package versions, rotating any exposed secrets, auditing their build environments and strengthening CI/CD security. Continuous monitoring and rapid response are essential to reducing risk and maintaining trust in open-source software. 

The attack’s browser API-level operation revealed critical blind spots in enterprise security monitoring, particularly for organizations handling cryptocurrency transactions.

References

Scroll to top