Arbitrary File Deletion in CrowdStrike Falcon Sensor for Windows

Successful exploitation could allow a local attacker with prior code execution on the host to delete files outside the intended scope of the Falcon Sensor's operations. Depending on which files are deleted, this could cause denial of service, application or operating system instability, destruction of security tooling or logs, interference with recovery, or facilitate follow-on attacker actions by removing defensive or operational files. The provided content does not state that privilege escalation or code execution beyond the pre-existing foothold is directly achieved by this vulnerability. CrowdStrike states there is no indication of exploitation in the wild at the time of disclosure.

If immediate patching is not possible, reduce opportunities for local code execution on affected Windows hosts, since exploitation requires an attacker to already be able to run code on the system. Prioritize hardening and monitoring of systems running vulnerable Falcon Sensor for Windows or LTV sensors, restrict administrative and execution privileges, and monitor for unexpected file deletions affecting system, application, or security-related files. The provided content does not include vendor-specific temporary workarounds beyond applying the fix.

Upgrade CrowdStrike Falcon Sensor for Windows to a fixed release. The provided content states that CrowdStrike released a security fix in Falcon Sensor for Windows version 7.24 and above, and for all Long Term Visibility (LTV) sensors. Organizations should ensure affected Windows sensors are updated to the vendor-fixed version and verify deployment across the fleet.