CrowdStrike Falcon Sensor for Linux TLS Vulnerability Enabling MiTM Attack
CrowdStrike has disclosed a high-severity vulnerability in its Falcon Sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor. The vulnerability, identified as CVE-2025-1146, originates from a validation logic error in the Transport Layer Security (TLS) connection routine. This vulnerability could allow attackers with control over network traffic to conduct man-in-the-middle (MiTM) attacks by […] The post CrowdStrike Falcon Sensor for Linux TLS Vulnerability Enabling MiTM Attack appeared first on Cyber Security News.
CrowdStrike has disclosed a high-severity vulnerability in its Falcon Sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor.
The vulnerability, identified as CVE-2025-1146, originates from a validation logic error in the Transport Layer Security (TLS) connection routine.
This vulnerability could allow attackers with control over network traffic to conduct man-in-the-middle (MiTM) attacks by exploiting improper server certificate validation.
The vulnerability affects versions of the Falcon Sensor for Linux and related components prior to version 7.06. The issue arises from incorrect processing of server certificates during TLS communication with the CrowdStrike cloud.
Affected Versions:
| Falcon sensor for Linux | Falcon Kubernetes Admission Controller | Falcon Container Sensor |
|---|---|---|
| < 7.20.17308 | < 7.20.1808 | < 7.20.5908 |
| < 7.19.17221 | < 7.18.1605 | < 7.19.5807 |
| < 7.18.17131 | < 7.17.1503 | < 7.18.5705 |
| < 7.17.17014 | < 7.16.1403 | < 7.17.5603 |
| < 7.16.16909 | < 7.14.1203 | < 7.16.5503 |
| < 7.15.16806 | < 7.13.1102 | < 7.15.5403 |
| < 7.14.16705 | < 7.12.1002 | < 7.14.5306 |
| < 7.13.16606 | < 7.11.904 | < 7.13.5202 |
| < 7.11.16410 | < 7.10.806 | < 7.12.5102 |
| < 7.10.16321 | < 7.06.603 | < 7.11.5003 |
| < 7.07.16209 | < 7.10.4907 | |
| < 7.06.16113 | < 7.06.4705 |
If exploited, an attacker could intercept and manipulate encrypted communications, potentially compromising the confidentiality and integrity of the data being transmitted.
The Common Vulnerability Scoring System (CVSS) rates this flaw at 8.1 (High), underscoring its potential impact. The vulnerability is classified under CWE-296 (“Improper Following of a Certificate’s Chain of Trust”) and CAPEC-94 (“Adversary in the Middle”), highlighting its nature as a certificate validation weakness.
The vulnerability exclusively affects Linux-based systems running the Falcon Sensor or its Kubernetes and container-specific counterparts.
Windows and macOS sensors are confirmed to be unaffected. CrowdStrike emphasized that no evidence exists of this vulnerability being exploited in real-world attacks to date.
CrowdStrike identified the vulnerability during internal testing, following identifying the flaw, CrowdStrike released a fix in versions 7.06 and later for all affected products. Customers are urged to update their systems immediately to mitigate any risk.
Fixed Versions:
| Falcon sensor for Linux | Falcon Kubernetes Admission Controller | Falcon Container Sensor |
|---|---|---|
| 7.21.17405 and later | 7.21.1904 and later | 7.21.6003 and later |
| 7.20.17308 | 7.20.1808 | 7.20.5908 |
| 7.19.17221 | 7.18.1605 | 7.19.5807 |
| 7.18.17131 | 7.17.1503 | 7.18.5705 |
| 7.17.17014 | 7.16.1403 | 7.17.5603 |
| 7.16.16909 | 7.14.1203 | 7.16.5503 |
| 7.15.16806 | 7.13.1102 | 7.15.5403 |
| 7.14.16705 | 7.12.1002 | 7.14.5306 |
| 7.13.16606 | 7.11.904 | 7.13.5202 |
| 7.11.16410 | 7.10.806 | 7.12.5102 |
| 7.10.16321 | 7.06.603 | 7.11.5003 |
| 7.07.16209 | 7.10.4907 | |
| 7.06.16113 | 7.06.4705 |
For organizations unable to upgrade directly to version 7.21 or newer, hotfixes are available for older supported versions. These can be accessed through the Falcon console for deployment via update policies or manual downloads.
Mitigation Steps
To address this issue, CrowdStrike recommends:
- Upgrading affected systems to version 7.06 or higher.
- Replacing outdated installation binaries in package distribution or orchestration tools.
- Monitoring network traffic for potential MiTM attempts.
- Implementing robust network segmentation to limit attacker access.
- Regularly auditing security configurations for vulnerabilities.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
The post CrowdStrike Falcon Sensor for Linux TLS Vulnerability Enabling MiTM Attack appeared first on Cyber Security News.
