CVE-2025-1146 - Critical Falcon Sensor Security Vulnerability: TLS Connection Validation Logic Error

In today's ever-evolving threat landscape, maintaining robust security is of paramount importance. At CrowdStrike, we prioritize transparency and constantly evolve our products and services to ensure maximum protection. With this in mind, we have identified a critical vulnerability (CVE-2025-1146) in our Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor. We have released a security fix for this vulnerability, and this blog post will cover the details of the vulnerability, how to apply the security fix, and links to original references.

Vulnerability Details (CVE-2025-1146)

CrowdStrike uses industry-standard Transport Layer Security (TLS) to secure communication channels from the Falcon sensor to the CrowdStrike cloud. We have discovered a validation logic error in the aforementioned Falcon products, enabling an attacker with the ability to control network traffic to potentially execute a man-in-the-middle (MiTM) attack. CrowdStrike uncovered this issue internally, and a fix is now available in Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor versions 7.06 and above.

Exploit Scenario

An attacker could exploit this vulnerability by intercepting the Falcon sensor's connection to the CrowdStrike cloud and evading server certificate validation. This would allow the attacker to impersonate the CrowdStrike cloud during the TLS handshake and potentially gain unintended access to sensitive information or tamper with the Falcon sensor's actions.

Mitigation

To mitigate this vulnerability, the affected users should upgrade their Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor to version 7.06 or higher.

Here is a code snippet showcasing the relevant changes in the TLS connection routine for the upgraded versions:

// Prior version with vulnerability
if (server_certificate.validate()) {
  initiate_tls_connection();
} else {
  reject_connection();
}

// Updated version with fix
if (server_certificate.validate() && verify_server_certificate()) {
  initiate_tls_connection();
} else {
  reject_connection();
}

Original References

1. Falcon Sensor for Linux - Upgrade Guide
2. Falcon Kubernetes Admission Controller - Upgrade Guide
3. Falcon Container Sensor - Upgrade Guide

Impact

Currently, there is no evidence of this vulnerability being exploited in the wild. Windows and Mac sensors are not affected by this. CrowdStrike remains vigilant in monitoring the potential abuse of this flaw and continuously works to strengthen its internal security review process.

Conclusion

Security is our top priority, and we remain committed to addressing any vulnerabilities that we discover promptly. With the release of the fix for the CVE-2025-1146 vulnerability, we urge our customers to update their Falcon products to ensure complete protection. For more information, visit the upgrade guides listed above or contact CrowdStrike Support. Stay resilient and compliant with CrowdStrike by your side!

Timeline

Published on: 02/12/2025 19:15:09 UTC