Bypass Record

Valid Accounts × CrowdStrike connector

A publicly-reported instance of Valid Accounts bypassing CrowdStrike connector, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

CrowdStrike connector

Technique

Valid Accounts

MITRE ATT&CK

T1078

Confidence

High

Severity

Medium

Status

unknown

Disclosed

2025-10-07

Config / version noted

Not stated

Provenance

cve.akaoma.com
disclosed 2025-10-07 · original source · via exa

Reported as

A malicious user with low privileges can access CrowdStrike credentials from another space by creating and running a connector in a space they have access to.

Mechanism

The vulnerability allows a low-privileged attacker to retrieve cached CrowdStrike credentials from a connector in another space by deploying a connector in their own space. This bypasses intended access controls, potentially granting the attacker the ability to authenticate to CrowdStrike services as the victim.

Detection & mitigation

Monitor connector creation and credential access events in the affected platform for anomalous cross-space activity by low-privileged users. Mitigate by applying the vendor patch and enforcing strict access controls on connector deployment and credential storage.

Valid Accounts has also been recorded against

Microsoft SK Shieldus SOCFortress Tripwire

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.