CrowdStrike 2025 Global Threat Report: Adversaries have adapted. Have you? Download

Security Advisories

CVE 2025-1146 - CrowdStrike Falcon Sensor for Linux TLS Issue

Summary

CrowdStrike uses industry-standard TLS (transport layer security) to secure communications from the Falcon sensor to the CrowdStrike cloud. CrowdStrike has identified a validation logic error in the Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor where our TLS connection routine to the CrowdStrike cloud can incorrectly process server certificate validation. This could allow an attacker with the ability to control network traffic to potentially conduct a man-in-the-middle (MiTM) attack. CrowdStrike identified this issue internally and released a security fix in all Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor versions 7.06 and above.

CrowdStrike identified this issue through our longstanding, rigorous security review process, which has been continually strengthened with deeper source code analysis and ongoing program enhancements as part of our commitment to security resilience. CrowdStrike has no indication of any exploitation of this issue in the wild. CrowdStrike has leveraged its world class threat hunting and intelligence capabilities to actively monitor for signs of abuse or usage of this flaw and will continue to do so.

Windows and Mac sensors are not affected by this.

Technical Overview

Affected versions

All versions of Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor prior to 7.21 are affected, excluding hotfix builds for supported sensor versions.

Falcon sensor for LinuxFalcon Kubernetes Admission ControllerFalcon Container Sensor
< 7.20.17308
< 7.19.17221
< 7.18.17131
< 7.17.17014
< 7.16.16909
< 7.15.16806
< 7.14.16705
< 7.13.16606
< 7.11.16410
< 7.10.16321
< 7.07.16209
< 7.06.16113		< 7.20.1808
< 7.18.1605
< 7.17.1503
< 7.16.1403
< 7.14.1203
< 7.13.1102
< 7.12.1002
< 7.11.904
< 7.10.806
< 7.06.603		< 7.20.5908
< 7.19.5807
< 7.18.5705
< 7.17.5603
< 7.16.5503
< 7.15.5403
< 7.14.5306
< 7.13.5202
< 7.12.5102
< 7.11.5003
< 7.10.4907
< 7.06.4705

Severity

CrowdStrike has scored this issue as 8.1 (HIGH) per the Common Vulnerability Scoring System Version 3.1 (CVSS).

Weakness type and impact

Exploitation status

CrowdStrike has no indication of any exploitation of this issue in the wild.

CrowdStrike has leveraged its world class threat hunting and intelligence capabilities to actively monitor for signs of abuse or usage of this flaw and will continue to do so.

Fixed versions

This validation logic error, and resulting CVE, is addressed in 7.21 and later versions of the Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor.

Hotfixes for both supported and unsupported sensor versions are listed below and are available in your Falcon console for use with sensor update policies or via binary downloads.

Falcon Sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor release versions prior to 7.06 are not fixed and should be updated immediately to the versions listed below.

Falcon sensor for LinuxFalcon Kubernetes Admission ControllerFalcon Container Sensor
7.21.17405 and later
7.20.17308
7.19.17221
7.18.17131
7.17.17014
7.16.16909
7.15.16806
7.14.16705
7.13.16606
7.11.16410
7.10.16321
7.07.16209
7.06.16113		7.21.1904 and later
7.20.1808
7.18.1605
7.17.1503
7.16.1403
7.14.1203
7.13.1102
7.12.1002
7.11.904
7.10.806
7.06.603		7.21.6003 and later
7.20.5908
7.19.5807
7.18.5705
7.17.5603
7.16.5503
7.15.5403
7.14.5306
7.13.5202
7.12.5102
7.11.5003
7.10.4907
7.06.4705

Performance impact

No direct or indirect impact to sensor performance is expected, nor was any seen in our testing.

Identify Impacted Hosts

Identify impacted hosts via advanced event search query


// The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the lookup file aid_master_main.csv and will be automatically updated every 4 hours.
 
/// Read in AID Master file; REMINDER: this file updates every 4 hours.
| readFile("aid_master_main.csv")
 // Narrow search to only include Linux, Container, and K8 systems
| in(field="event_platform", values=[Lin, K8S])
// Parse AgentVersion into individual components for evaluation
| AgentVersion=/^(?<majorVersion>\d+)\.(?<minorVersion>\d+)\.(?<buildNumber>\d+)\./


 // Evaluate Linux Container Sensors
| case {
   event_platform=Lin ProductType=Pod majorVersion=6                                 | Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod majorVersion=7 minorVersion<=5                 | Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=6  buildNumber<4705| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=10 buildNumber<4907| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=11 buildNumber<5003| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=12 buildNumber<5102| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=13 buildNumber<5202| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=14 buildNumber<5306| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=15 buildNumber<5403| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=16 buildNumber<5503| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=17 buildNumber<5603| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=18 buildNumber<5705| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=19 buildNumber<5807| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod majorVersion=7 minorVersion=20 buildNumber<5908| Status:="NEEDS PATCH" | event_platform:="Lin (Pod)";
   event_platform=Lin ProductType=Pod                                                | Status:="OK"          | event_platform:="Lin (Pod)";
   *;
}


// Evaluate Linux Sensors
| case {
   event_platform=Lin majorVersion=6                                  | Status:="NEEDS PATCH";
   event_platform=Lin majorVersion=7 minorVersion<=5                  | Status:="NEEDS PATCH";
   event_platform=Lin majorVersion=7 minorVersion=6 buildNumber<16113 | Status:="NEEDS PATCH";
   event_platform=Lin majorVersion=7 minorVersion=7 buildNumber<16209 | Status:="NEEDS PATCH";
   event_platform=Lin majorVersion=7 minorVersion=10 buildNumber<16321| Status:="NEEDS PATCH";
   event_platform=Lin majorVersion=7 minorVersion=11 buildNumber<16410| Status:="NEEDS PATCH";
   event_platform=Lin majorVersion=7 minorVersion=13 buildNumber<16606| Status:="NEEDS PATCH";
   event_platform=Lin majorVersion=7 minorVersion=14 buildNumber<16705| Status:="NEEDS PATCH";
   event_platform=Lin majorVersion=7 minorVersion=15 buildNumber<16806| Status:="NEEDS PATCH";
   event_platform=Lin majorVersion=7 minorVersion=16 buildNumber<16909| Status:="NEEDS PATCH";
   event_platform=Lin majorVersion=7 minorVersion=17 buildNumber<17014| Status:="NEEDS PATCH";
   event_platform=Lin majorVersion=7 minorVersion=18 buildNumber<17131| Status:="NEEDS PATCH";
   event_platform=Lin majorVersion=7 minorVersion=19 buildNumber<17221| Status:="NEEDS PATCH";
   event_platform=Lin majorVersion=7 minorVersion=20 buildNumber<17308| Status:="NEEDS PATCH";
   event_platform=Lin                                                 | Status:="OK";
   *;
}


// Evaluate K8 Sensors
| case {
   event_platform=K8S majorVersion=6                                 | Status:="NEEDS PATCH";
   event_platform=K8S majorVersion=7 minorVersion<=5                 | Status:="NEEDS PATCH";
   event_platform=K8S majorVersion=7 minorVersion=6 buildNumber<603  | Status:="NEEDS PATCH";
   event_platform=K8S majorVersion=7 minorVersion=10 buildNumber<806 | Status:="NEEDS PATCH";
   event_platform=K8S majorVersion=7 minorVersion=11 buildNumber<904 | Status:="NEEDS PATCH";
   event_platform=K8S majorVersion=7 minorVersion=12 buildNumber<1002| Status:="NEEDS PATCH";
   event_platform=K8S majorVersion=7 minorVersion=13 buildNumber<1102| Status:="NEEDS PATCH";
   event_platform=K8S majorVersion=7 minorVersion=14 buildNumber<1203| Status:="NEEDS PATCH";
   event_platform=K8S majorVersion=7 minorVersion=16 buildNumber<1403| Status:="NEEDS PATCH";
   event_platform=K8S majorVersion=7 minorVersion=17 buildNumber<1503| Status:="NEEDS PATCH";
   event_platform=K8S majorVersion=7 minorVersion=18 buildNumber<1605| Status:="NEEDS PATCH";
   event_platform=K8S majorVersion=7 minorVersion=20 buildNumber<1808| Status:="NEEDS PATCH";
   event_platform=K8S                                                | Status:="OK";
   *;
}


 // Modify field names for easier reading
| rename([[cid, "Customer ID"],[aid, "Agent ID"], [event_platform, Platform], [aip, "External IP"]])
 // Aggregate results into tabular format
| groupBy(["Customer ID", "Agent ID", ComputerName, Platform, Version, AgentVersion, Status, "External IP", LocalAddressIP4, MAC, SystemManufacturer, SystemProductName, FirstSeen, Time], function=[], limit=max)
 // Set default values for easier reading
| default(value="-", field=[ComputerName, Version, AgentVersion, Status, LocalAddressIP4, MAC, SystemManufacturer, SystemProductName, FirstSeen, Time], replaceEmpty=true)
 // Move timestamps from epoch to human readable
| formatTime(format="%F %T", as="FirstSeen", field=FirstSeen)
| formatTime(format="%F %T", as="LastSeen", field=Time)
// Remove unnecessary field
| drop([Time])

Remediation

  • Upgrade Linux hosts running impacted sensor versions to a fixed version.
    • Note: While we have provided hotfixes for multiple sensor versions which have aged out of support, we recommend upgrading to currently supported versions.
  • Replace outdated installation binaries in any package distribution / system orchestration tools, ensuring that new installations are remediated.
  • CrowdStrike Falcon Exposure Management (including Falcon Spotlight) has detections enabled across all clouds.

Resources

 
Additional Questions
If you have additional questions, please reach out to your Technical Account Manager, Sales Engineer, Account Manager, or CrowdStrike Support.