CrowdStrike has disclosed a high-severity vulnerability in its Falcon Sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor.
The vulnerability, identified as CVE-2025-1146, originates from a validation logic error in the Transport Layer Security (TLS) connection routine.
Attackers who control network traffic can exploit the improper server certificate validation to intercept and manipulate communications, potentially conducting man-in-the-middle (MiTM) attacks to steal data, inject malicious content, or compromise system integrity.
Falcon Sensor for Linux and related components prior to version 7.06 improperly process server certificates during TLS communication with the CrowdStrike cloud, leading to a vulnerability.
Affected Versions:
| Falcon sensor for Linux | Falcon Kubernetes Admission Controller | Falcon Container Sensor |
|---|---|---|
| < 7.20.17308 | < 7.20.1808 | < 7.20.5908 |
| < 7.19.17221 | < 7.18.1605 | < 7.19.5807 |
| < 7.18.17131 | < 7.17.1503 | < 7.18.5705 |
| < 7.17.17014 | < 7.16.1403 | < 7.17.5603 |
| < 7.16.16909 | < 7.14.1203 | < 7.16.5503 |
| < 7.15.16806 | < 7.13.1102 | < 7.15.5403 |
| < 7.14.16705 | < 7.12.1002 | < 7.14.5306 |
| < 7.13.16606 | < 7.11.904 | < 7.13.5202 |
| < 7.11.16410 | < 7.10.806 | < 7.12.5102 |
| < 7.10.16321 | < 7.06.603 | < 7.11.5003 |
| < 7.07.16209 | < 7.10.4907 | |
| < 7.06.16113 | < 7.06.4705 |
If exploited, an attacker could intercept and manipulate encrypted communications, potentially compromising the confidentiality and integrity of the data being transmitted.
The vulnerability exclusively affects Linux-based systems running the Falcon Sensor or its Kubernetes and container-specific counterparts.
Windows and macOS sensors are confirmed to be unaffected. CrowdStrike emphasized that no evidence exists of this vulnerability being exploited in real-world attacks to date.
CrowdStrike identified the vulnerability during internal testing, following identifying the flaw, CrowdStrike released a fix in versions 7.06 and later for all affected products. Customers are urged to update their systems immediately to mitigate any risk.
Fixed Versions:
| Falcon sensor for Linux | Falcon Kubernetes Admission Controller | Falcon Container Sensor |
|---|---|---|
| 7.21.17405 and later | 7.21.1904 and later | 7.21.6003 and later |
| 7.20.17308 | 7.20.1808 | 7.20.5908 |
| 7.19.17221 | 7.18.1605 | 7.19.5807 |
| 7.18.17131 | 7.17.1503 | 7.18.5705 |
| 7.17.17014 | 7.16.1403 | 7.17.5603 |
| 7.16.16909 | 7.14.1203 | 7.16.5503 |
| 7.15.16806 | 7.13.1102 | 7.15.5403 |
| 7.14.16705 | 7.12.1002 | 7.14.5306 |
| 7.13.16606 | 7.11.904 | 7.13.5202 |
| 7.11.16410 | 7.10.806 | 7.12.5102 |
| 7.10.16321 | 7.06.603 | 7.11.5003 |
| 7.07.16209 | 7.10.4907 | |
| 7.06.16113 | 7.06.4705 |
For organizations unable to upgrade directly to version 7.21 or newer, hotfixes are available for older supported versions. These can be accessed through the Falcon console for deployment via update policies or manual downloads.
Mitigation Steps
To address this issue, CrowdStrike recommends:
- Upgrading affected systems to version 7.06 or higher.
- Replacing outdated installation binaries in package distribution or orchestration tools.
- Monitoring network traffic for potential MiTM attempts.
- Implementing robust network segmentation to limit attacker access.
- Regularly auditing security configurations for vulnerabilities.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
