CVE-2025-1146
📋 TL;DR
A TLS certificate validation logic error in CrowdStrike Falcon Linux-based sensors could allow man-in-the-middle attacks. Attackers controlling network traffic could intercept or manipulate communications between affected sensors and CrowdStrike cloud. Only Linux, Kubernetes Admission Controller, and Container Sensor versions below 7.06 are affected.
💻 Affected Systems
- Falcon sensor for Linux
- Falcon Kubernetes Admission Controller
- Falcon Container Sensor
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full interception of all sensor-to-cloud communications, allowing attacker to disable protection, exfiltrate sensitive data, or deliver malicious payloads to endpoints.
Likely Case
Selective interception of specific communications in controlled network environments, potentially allowing evasion of detection or limited data exfiltration.
If Mitigated
No impact if sensors are updated to patched versions or if network controls prevent MiTM positioning.
🎯 Exploit Status
Requires network positioning to intercept TLS traffic. No known exploitation in the wild. CrowdStrike discovered internally.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.06 and above
Vendor Advisory: https://www.crowdstrike.com/security-advisories/cve-2025-1146/
Restart Required: No
Instructions:
1. Log into CrowdStrike Falcon console. 2. Navigate to Sensor Updates. 3. Deploy version 7.06 or higher to all affected Linux, Kubernetes, and Container sensors. 4. Verify deployment completion.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network paths between sensors and CrowdStrike cloud to prevent potential MiTM positioning.
🧯 If You Can't Patch
- Implement strict network controls to prevent unauthorized devices from intercepting sensor-to-cloud traffic.
- Monitor for unusual network activity or certificate validation failures in sensor logs.
🔍 How to Verify
Check if Vulnerable:
Check sensor version via Falcon console or run: falconctl -g --version | grep -E '^[0-9]'Check Version:
falconctl -g --versionVerify Fix Applied:
Confirm sensor version is 7.06 or higher in Falcon console or via command line.📡 Detection & Monitoring
Log Indicators:
- Certificate validation errors in Falcon sensor logs
- Unexpected TLS handshake failures
Network Indicators:
- Unusual TLS interception attempts on port 443 to CrowdStrike endpoints
- Suspicious certificate authorities in sensor traffic
SIEM Query:
source="falcon_sensor" AND ("certificate validation" OR "TLS error" OR "handshake failure")