CVE-2025-42706
📋 TL;DR
A logic error in CrowdStrike Falcon sensor for Windows allows attackers with existing code execution on a host to delete arbitrary files. Only Windows versions before 7.24 are affected. Mac, Linux, and Legacy Systems sensors are not vulnerable.
💻 Affected Systems
- CrowdStrike Falcon sensor for Windows
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker with initial foothold could delete critical system files, causing system instability, data loss, or disabling security controls to enable further attacks.
Likely Case
Attacker uses file deletion to cover tracks, remove security logs, or delete specific files as part of targeted attack while maintaining persistence.
If Mitigated
With proper patch management, the vulnerability is eliminated. Attackers with initial access would need alternative methods for file manipulation.
🎯 Exploit Status
No known exploitation in the wild. Requires attacker to first gain code execution on target system through other means.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.24 and above
Vendor Advisory: https://www.crowdstrike.com/en-us/security-advisories/issues-affecting-crowdstrike-falcon-sensor-for-windows/
Restart Required: No
Instructions:
1. Update Falcon sensor to version 7.24 or higher via Falcon console 2. Verify update completes successfully 3. Monitor for any update failures
🔧 Temporary Workarounds
No workaround available
allThis is a logic error requiring code fix. No configuration changes can mitigate the vulnerability.
🧯 If You Can't Patch
- Implement strict access controls and monitoring for systems running vulnerable versions
- Enhance endpoint detection for suspicious file deletion activities
🔍 How to Verify
Check if Vulnerable:
Check Falcon sensor version in Falcon console or via 'CSFalconService --version' command on Windows hostCheck Version:
CSFalconService --versionVerify Fix Applied:
Confirm sensor version is 7.24 or higher in Falcon console📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletion events from Falcon sensor process
- Security logs showing unauthorized file modifications
Network Indicators:
- No network indicators - local vulnerability only
SIEM Query:
ProcessName="CSFalconService" AND EventID="4663" AND TargetFilename="*" AND AccessMask="0x10000"