A newly discovered exploit has revealed a critical vulnerability in SentinelOne’s endpoint detection and response (EDR) system, allowing cybercriminals to bypass its tamper protection and deploy the Babuk ransomware. The method, identified as a “Bring Your Own Installer” technique, was uncovered by John Ailes and Tim Mashni from Aon’s Stroz Friedberg Incident Response team during a real-world ransomware case investigation. 
The core issue lies in how the SentinelOne agent handles updates. When an agent is upgraded, the existing version is momentarily stopped to make way for the new one. Threat actors have figured out how to exploit this transition window by launching a legitimate SentinelOne installer and then terminating it mid-process. This action disables the EDR protection temporarily, leaving the system vulnerable long enough to install ransomware or execute malicious operations without being detected.
Unlike traditional bypasses that rely on third-party drivers or hacking tools, this method takes advantage of SentinelOne’s own software. Once the process is interrupted, the system loses its protection, allowing the attackers to act with impunity. Ailes stressed that the bypass can be triggered using both older and newer agent versions, putting even up-to-date deployments at risk if specific configuration settings are not enabled.
During their investigation, the team observed how the targeted device disappeared from the SentinelOne management console shortly after the exploit was executed, signaling that the endpoint had become unmonitored.
The attack was effective across multiple versions of the software, indicating that the exploit isn’t tied to a particular release.
To mitigate this risk, SentinelOne recommends activating a feature called “Online Authorization” (also referred to as Local Upgrade Authorization). This setting ensures that any attempt to upgrade, downgrade, or uninstall the agent must first be approved via the SentinelOne management console.
Although this option exists, it is not enabled by default for existing customers, largely to maintain compatibility with deployment tools like Microsoft’s System Center Configuration Manager.
Since the vulnerability was disclosed, SentinelOne has taken steps to notify customers and is now enabling the protective setting by default for new installations.
The company also confirmed sharing the findings with other major EDR providers, recognizing that similar techniques could potentially impact their platforms as well.
While the current exploit does not affect SentinelOne when configured correctly, the case serves as a stark reminder of the importance of security hardening, particularly in the tools meant to defend against sophisticated threats.
