CVE-2025-1146: 
CrowdStrike Falcon Sensor vulnerability analysis and mitigation

CrowdStrike has identified a high-severity Transport Layer Security (TLS) vulnerability (CVE-2025-1146) in its Falcon Sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor. The vulnerability stems from a validation logic error in the TLS connection routine between the Falcon sensor and the CrowdStrike cloud, discovered during an internal review process (CrowdStrike Advisory, Security Online).

The vulnerability is classified under CWE-296 (Improper Following of a Certificate's Chain of Trust) and CAPEC-94 (Adversary-in-the-Middle). It affects all versions of the Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor prior to version 7.21, excluding hotfix builds for supported sensor versions. CrowdStrike has assigned a CVSS score of 8.1 (HIGH) to this vulnerability (CrowdStrike Advisory, GBHackers).

The validation logic error in the TLS connection routine could allow an attacker with network traffic control capabilities to potentially conduct man-in-the-middle (MiTM) attacks, potentially intercepting and manipulating sensitive data in transit between the Falcon sensor and the CrowdStrike cloud (CrowdStrike Advisory, Security Online).

CrowdStrike has released security fixes in version 7.21 and later for all affected products. Hotfixes are available for both supported and unsupported sensor versions through the Falcon console for use with sensor update policies or via binary downloads. The company recommends maintaining hosts at N-2 or newer sensors and confirms that the patches do not impact sensor performance (CrowdStrike Advisory, Security Online).