CrowdStrike has issued a security advisory regarding a high-severity Transport Layer Security (TLS) vulnerability in its Falcon Sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor. The vulnerability, tracked as CVE-2025-1146, could allow attackers to perform man-in-the-middle (MiTM) attacks.
“CrowdStrike uses industry-standard TLS (transport layer security) to secure communications from the Falcon sensor to the CrowdStrike cloud,” the advisory states. However, a validation logic error in the TLS connection routine could allow attackers to intercept and manipulate traffic between the sensor and the cloud.
All versions of the Falcon Sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor prior to version 7.21 are affected, excluding hotfix builds for supported sensor versions. CrowdStrike emphasizes that Windows and Mac sensors are not affected by this vulnerability.
CrowdStrike has rated the severity of this vulnerability as 8.1 (HIGH) according to the Common Vulnerability Scoring System Version 3.1 (CVSS). While there is no indication of active exploitation in the wild, users are strongly encouraged to update their software to mitigate potential risks.
CrowdStrike has released a security fix in all Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor versions 7.06 and above. The company recommends updating to version 7.21 or later as soon as possible. Hotfixes for supported and unsupported sensor versions are available in the Falcon console and can be applied via sensor update policies or binary downloads.
Organizations may worry about performance issues with the security update. However, CrowdStrike has confirmed that the patch does not impact sensor performance.
Users should prioritize updating their Falcon Sensor for Linux and related components to protect their systems from compromise.
