// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE INT-34DTG 0600Z
ColdRecon / Competitor Intel / CrowdStrike
Endpoint Security Vendor

CrowdStrike

34 PUBLIC SECURITY EVENTS ON FILE · 2023-05-31 — 2026-06-25

Publicly-known security events concerning CrowdStrike — CVEs, advisories, and incidents drawn from open-source reporting. Every item links to its original source.

Category

What CrowdStrike sells

EDR is agent-based endpoint tooling that monitors process/file/network activity, detects malicious behavior, and enables response. It is detection-led by design: it observes and acts after code executes. Its efficacy depends on recognizing a threat, so novel/zero-day techniques are a window of exposure until detected.

SOURCE · ColdRecon Reference

CrowdStrike competes in the endpoint-security category. ColdRecon publishes only the factual public record below — no competitive analysis or positioning.

The Public Record

Recent security events

On file: 11 vuln disclosures · 9 incidents · 14 research pocs.

2026-06-25
vuln disclosure
CVE-2026-39118 in macOS Allows Standard Users to Disable Security AgentsCVE-2026-39118
A vulnerability in Apple macOS (CVE-2026-39118) allows a standard user to disable or permanently deactivate enterprise security agents like CrowdStrike EDR and Kandji MDM. The flaw stems from improper authorization in the Endpoint Security framework, enabling unauthorized termination of security processes. This undermines endpoint protection and compliance on affected macOS systems.
2026-05-18
vuln disclosure
Pwn2Own Berlin 2024: 47 Zero-Days Disclosed Across Security ProductsPwn2Own Berlin 2024
At Pwn2Own Berlin 2024, security researchers disclosed 47 previously unknown zero-day vulnerabilities in various endpoint security and enterprise products. The event awarded $1.3 million in bounties, highlighting weaknesses in widely used security tools.
2026-05-16
incident
CrowdStrike Falcon Sensor Update Causes Global Windows BSOD OutageCrowdStrike Falcon Sensor Channel File 291 Incident
On July 19, 2024, a faulty Rapid Response Content configuration file (Channel File 291) for the CrowdStrike Falcon sensor caused widespread Windows Blue Screen of Death (BSOD) crashes. The update, deployed without staged rollout, affected approximately 8.5 million devices globally, disrupting airlines, hospitals, and critical services. The incident stemmed from an architectural decision to allow rapid threat-detection updates to the kernel-level sensor without the same testing rigor applied to sensor code.
2026-04-27
vuln disclosure
CrowdStrike Discloses Critical Vulnerability in Falcon Platform
CrowdStrike published a security advisory on April 21, 2026, addressing a critical vulnerability in its Falcon platform products. The Canadian Centre for Cyber Security issued an alert (AV26-384) regarding the advisory. No further technical details were provided in the article.
2026-04-21
vuln disclosure
CrowdStrike LogScale Unauthenticated Path-Traversal Vulnerability Allows Arbitrary File ReadCVE-2026-40050
CrowdStrike disclosed a critical unauthenticated path-traversal vulnerability (CVE-2026-40050) in its LogScale platform. A remote attacker can exploit the flaw to read arbitrary files from the server's filesystem without authentication. The vendor issued an urgent security advisory.
2026-04-05
vuln disclosure
PoisonX BYOVD Driver Bypasses CrowdStrike Falcon via Microsoft-Signed Kernel DriverPoisonX BYOVD
A previously unknown Microsoft-signed kernel driver, PoisonX.sys, was discovered enabling Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks to terminate CrowdStrike Falcon's Protected Process Light (PPL) sensor. The driver exposes an undocumented IOCTL (0x22E010) that allows user-mode attackers to kill any process by PID from kernel mode, bypassing PPL protections. This vulnerability highlights the risk of signed but vulnerable drivers being exploited to disable endpoint security.
2026-03-27
research poc
Ridge IT Cyber MDR Testing Shows EDR Bypass RatesEDR Bypass Testing by Ridge IT Cyber
Ridge IT Cyber conducted testing of managed endpoint security solutions, finding that CrowdStrike was bypassed after 3 months while all other tested EDR platforms were bypassed within 3 days. SentinelOne blocked approximately 30% of threat samples. The results highlight varying effectiveness of EDR solutions against advanced threats.
2026-02-24
research poc
Doppelganger LSASS Cloning Technique Evades EDR ProtectionsDoppelganger
Security researcher Andrea Varischio developed Doppelganger, a proof-of-concept tool that clones the LSASS process to extract credentials without touching the protected original. The technique bypasses EDR hooks, PPL, and monitoring by operating on a copy, leveraging BYOVD to disable PPL in kernel memory. This matters because it demonstrates a novel evasion method against modern EDRs that protect LSASS.
2026-02-10
incident
Reynolds Ransomware Embeds Vulnerable Driver to Kill EDR Before EncryptionReynolds ransomware
Broadcom researchers disclosed Reynolds ransomware in February 2026, which embeds the vulnerable NsecSoft NSecKrnl driver (CVE-2025-68947) directly into its payload to terminate endpoint security processes before encrypting files. This single-binary approach eliminates the detection gap of traditional BYOVD attacks, making it harder for defenders to spot. The ransomware targets major EDR products including CrowdStrike Falcon, Cortex XDR, and others.
2025-12-07
research poc
CLR-Unhook Tool Restores Original nLoadImage to Bypass EDR .NET Assembly ScanningCLR-Unhook
A new proof-of-concept tool named CLR-Unhook removes security product hooks from the nLoadImage function in clr.dll, restoring the original CLR behavior. This allows in-memory .NET assembly loads via Assembly.Load(byte[]) to execute without EDR inspection or scanning, bypassing products like CrowdStrike, Bitdefender, and SentinelOne.
2025-11-24
incident
CrowdStrike Insider Leaked Dashboard Screenshots to CybercriminalsCrowdStrike Insider Screenshot Leak
A CrowdStrike insider was terminated after sharing screenshots of internal dashboards, including an Okta SSO panel, with the financially motivated group Scattered Lapsus$ Hunters. The group falsely claimed a system breach, but CrowdStrike confirmed no compromise occurred and customer protections remained intact. The incident highlights insider threat risks to security vendors.
2025-10-18
research poc
ShellcodePack Pro EDR Evasion Tool Leaked on Cybercrime ForumShellcodePack Pro
A threat actor is distributing 'ShellcodePack Pro', a tool designed to execute malicious shellcode while evading detection by CrowdStrike and Cortex EDRs. The tool lowers the barrier for attackers by packaging sophisticated evasion techniques, and the distributor advises using 'kleenscan' instead of VirusTotal to avoid burning the methods. This poses a direct threat to organizations relying on these EDR platforms.
2025-10-08
vuln disclosure
CrowdStrike Falcon Windows Sensor Vulnerabilities Allow Arbitrary File DeletionCVE-2025-42701, CVE-2025-42706
CrowdStrike disclosed two medium-severity vulnerabilities (CVE-2025-42701 and CVE-2025-42706) in its Falcon sensor for Windows that could allow an attacker with existing code execution to delete arbitrary files. The flaws are a TOCTOU race condition and a logic error in origin validation. Patches are available, and no exploitation has been detected.
2025-10-08
vuln disclosure
CrowdStrike Falcon Sensor for Windows Arbitrary File Deletion VulnerabilityCVE-2025-42706
A logic error in the CrowdStrike Falcon sensor for Windows allows an attacker with code execution on the host to delete arbitrary files. The vulnerability was responsibly disclosed via CrowdStrike's bug bounty program and has been patched in sensor version 7.24 and above. There is no evidence of exploitation in the wild.
2025-10-07
vuln disclosure
CVE-2025-37728: Insufficiently Protected Credentials in CrowdStrike ConnectorCVE-2025-37728
CVE-2025-37728 is a vulnerability in a CrowdStrike connector where cached credentials are insufficiently protected. A malicious user with low privileges can access CrowdStrike credentials from another space by creating and running a connector in a space they have access to. This could lead to unauthorized access to CrowdStrike services.
2025-09-29
incident
Attackers Use Malicious WDAC Policies to Disable EDR AgentsWDAC Bypass
Cybercriminals are deploying malicious Windows Defender Application Control (WDAC) policies to block EDR executables, drivers, and services, effectively disabling endpoint detection. The technique, previously a proof-of-concept called Krueger, is now used in active malware like DreamDemon, targeting EDR products including CrowdStrike and Microsoft Defender for Endpoint. This bypass undermines the detect-and-respond model by blinding sensors before they initialize.
2025-09-16
incident
CrowdStrike npm Packages Compromised in Shai-Halud Supply Chain AttackShai-Halud supply chain attack (CrowdStrike npm compromise)
Multiple npm packages published by CrowdStrike were compromised in an ongoing supply chain attack linked to the Shai-Halud campaign. The malicious packages contained a script that downloads TruffleHog to steal secrets and creates unauthorized GitHub Actions workflows for persistence. CrowdStrike confirmed the Falcon sensor and platform are not impacted.
2025-08-28
research poc
WDAC Policies Used to Disable EDR Agents in the WildWDAC-EDR-Block
Research details how Windows Defender Application Control (WDAC) policies are being used by threat actors to block endpoint detection and response (EDR) agents. Multiple malware families, including Krueger and a new variant named DreamDemon, have been observed deploying WDAC policies that prevent EDR components from loading. The technique remains effective against many EDR products, with limited preventive capabilities from vendors.
2025-07-13
research poc
PhantomLoad: Stealthy Fileless Shellcode Loader with EDR/AV Evasion ReleasedPhantomLoad
PhantomLoad is a newly released open-source, fileless shellcode loader designed for red team operations. It implements multiple evasion techniques including syscall unhooking, ETW patching, AMSI bypass, and PPID spoofing to bypass endpoint security products. The tool supports payloads from Cobalt Strike, Meterpreter, and BruteRatel, and is explicitly stated to bypass Defender, CrowdStrike, and SentinelOne.
2025-06-12
research poc
MoveEDR: PowerShell script to disable EDRs by moving files at boot via PendingFileRenameOperationsMoveEDR
A PowerShell script called MoveEDR was published that leverages the Windows PendingFileRenameOperations registry key to move or delete EDR files before they start, effectively disabling endpoint detection. It requires local administrator privileges and targets multiple EDR products, including CrowdStrike, Elastic, McAfee, Trellix, Trend Micro, and Windows Defender. The technique is a proof-of-concept demonstrating a built-in Windows mechanism to bypass tamper protection.
2025-05-30
incident
Conti Ransomware Gang Leaks Internal EDR Evasion Tier ListConti EDR Tier List Leak
The Conti ransomware group leaked an internal ranking of endpoint detection and response (EDR) products based on their ease of bypass during real-world attacks. The list places Microsoft Defender for Endpoint, McAfee, and Webroot in the lowest tier, while CrowdStrike is ranked highest. The leak highlights that even top-tier EDRs can be evaded, especially when poorly configured, and underscores the importance of defense-in-depth and proper security tool configuration.
2025-04-15
research poc
PatchedCLRLoader: .NET Assembly Loader with AMSI and ETW Patching BypassPatchedCLRLoader
A proof-of-concept tool named PatchedCLRLoader demonstrates loading .NET assemblies while bypassing AMSI and ETW by patching functions in clr.dll and ntdll.dll. It uses direct syscalls and RC4 encryption to evade detection, and was tested successfully against Cortex XDR, Sophos, MDE, and CrowdStrike. The technique specifically patches AmsiScanBuffer in clr.dll and NtTraceEvent to avoid newer Windows Defender protections.
2025-03-06
vuln disclosure
CrowdStrike Falcon Sensor Process Suspension Bypass (Sleeping Beauty)Sleeping Beauty
SEC Consult discovered that CrowdStrike Falcon Sensor processes could be suspended by an attacker with SYSTEM privileges, allowing malicious applications to execute undetected. The vulnerability, named 'Sleeping Beauty', was initially dismissed by CrowdStrike as a detection gap but was silently patched by 2025. The bypass enabled tools like winPEAS, Rubeus, and Certipy to run unimpeded until the sensor was resumed.
2025-03-05
research poc
Two EDR Evasion Techniques Tested Against CrowdStrike: Python Shellcode Execution and Go Reverse SSH TunnelPyramid Python EDR Evasion
A red teamer demonstrated two techniques to evade CrowdStrike EDR: using the Pyramid framework to execute Sliver shellcode in Python's memory, and a custom Go binary to establish a reverse SSH tunnel for proxying post-exploitation tools. Both methods leverage trusted, legitimate tools to blend in and avoid detection.
2025-02-07
research poc
Dark Web Actor Claims to Sell EDR Evasion ToolUnnamed EDR Evasion Tool
A threat actor on the dark web claims to sell a tool that bypasses EDR solutions using advanced cryptographic techniques. The tool reportedly targets CrowdStrike, Sophos, SentinelOne, and FortiClient. This highlights the growing black market for EDR evasion tools.
2024-08-19
incident
Lazarus APT exploited Windows AFD.sys zero-day CVE-2024-38193 for privilege escalationCVE-2024-38193
Microsoft patched CVE-2024-38193, a privilege escalation vulnerability in the Windows Ancillary Function Driver (AFD.sys), which was actively exploited by the North Korea-linked Lazarus APT group. The flaw allowed attackers to gain SYSTEM privileges and was used alongside the FudModule rootkit to bypass security software. This follows Lazarus's earlier exploitation of CVE-2024-21338 in the AppLocker driver for kernel-level access.
2024-07-25
vuln disclosure
CrowdStrike Dismisses Exploitability of Falcon Sensor Bug That Caused BSODCrowdStrike Falcon Sensor Channel File 291 OOB Read
CrowdStrike disputes claims by Qihoo 360 that the Falcon sensor bug causing a global Windows BSOD incident is exploitable for privilege escalation or remote code execution. The bug is an out-of-bounds read due to a mismatch in expected inputs, and CrowdStrike states it does not allow arbitrary memory writes or control of program execution. The company cites multiple sensor protections that prevent tampering with channel files.
2024-03-22
research poc
HookChain EDR Evasion Framework ReleasedHookChain
A new open-source evasion framework named HookChain has been published, designed to bypass Endpoint Detection and Response (EDR) solutions. It uses IAT hooking, dynamic system service number resolution, and indirect system calls to hide malicious payloads. The tool claims to evade detection by several major EDR products.
2024-01-20
incident
Terminator EDR Killer Tool Uses BYOVD to Terminate Security ProcessesTerminator EDR Killer (Spyboy)
A threat actor named Spyboy is selling a tool called Terminator that uses the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate processes of endpoint security products. The tool loads a vulnerable Zemana anti-malware driver to execute code in kernel mode, bypassing user-mode protections. SentinelOne detects known samples, and organizations are advised to review provided indicators of compromise.
2023-12-06
research poc
Pool Party Process Injection Techniques Bypass Major EDR SolutionsPool Party
SafeBreach researchers presented eight new process injection techniques called Pool Party at Black Hat Europe 2023. These techniques abuse Windows thread pools and worker factories to execute malicious code, achieving 100% bypass against five leading EDR products. The methods are more flexible than existing techniques and fully undetectable in tests.
2023-09-13
vuln disclosure
ALPC Port Blocking Vulnerability Affects Multiple Windows EDR AgentsCVE-2023-3280
A denial-of-service vulnerability in multiple Windows EDR products allows a low-privileged user to permanently disable the agent after a reboot by preemptively registering an ALPC port name used by the EDR. The affected EDRs fail to handle the case where the port is already in use, causing user-mode components to crash or become non-functional. Kernel components remain running but lose detection/blocking capabilities in most cases.
2023-07-06
research poc
Research PoC Demonstrates EDR Unhooking Against CrowdStrike Falcon Without VirtualProtectEDR Unhooking via In-Memory Disassembly (Falcon)
A security researcher published a proof-of-concept technique to unhook CrowdStrike Falcon's syscall hooks in ntdll.dll without using VirtualProtect or loading a fresh ntdll.dll. The method follows hook jumps to locate the relocated syscall stub by searching memory for the return address, then patches the hook with a custom jump. This demonstrates a potential evasion method, though the author notes it is highly targeted and fragile.
2023-06-01
research poc
New malware tool claims to terminate multiple EDR and antivirus agentsEDR-Terminator
A video and Reddit post surfaced on May 28, 2023, showing an executable that allegedly disables tamper protection and terminates the on-premise agents of numerous endpoint security products. The tool claims to work against vendors including CrowdStrike, SentinelOne, Carbon Black, and Windows Defender. ThreatLocker notes that its application allowlisting would block such an unknown executable from running.
2023-05-31
incident
Terminator tool uses BYOVD with Zemana driver to terminate security productsTerminator
A threat actor is selling a tool called Terminator that uses a Bring Your Own Vulnerable Driver (BYOVD) attack to terminate antivirus, EDR, and XDR processes. The tool drops a legitimate but vulnerable Zemana anti-malware driver (zamguard64.sys or zam64.sys) to gain kernel-level privileges and kill security software user-mode processes. CrowdStrike confirmed the technique is a BYOVD attack, not a novel bypass.
Every event on this page is a record in ColdRecon's canonical set, drawn from public reporting and linked to its source above. ColdRecon monitors open-source signal only; it publishes no non-public or customer information.

CrowdStrike ships. Your prospect reads the headline. Do you?

ColdRecon turns this signal into one short daily brief, written from the seller's seat — what changed, why it matters to your deals, how to position. Request clearance and the first lands tomorrow at 0600.

Request Clearance →