SentinelOne Flaw Lets Hackers Deploy Babuk Ransomware

A newly identified technique is allowing threat actors to bypass SentinelOne’s endpoint detection and response (EDR) system, enabling the deployment of Babuk ransomware without triggering alerts, according to Aon’s Stroz Friedberg Incident Response team. Dubbed “Bring Your Own Installer,” the method exploits a flaw in SentinelOne’s agent upgrade process, terminating protection processes and leaving systems vulnerable.

Attackers use legitimate signed SentinelOne installers to initiate the update, then forcibly halt the installation mid-process. This disables EDR protections without needing elevated permissions or third-party tools. Once defenses are down, Babuk ransomware is deployed, encrypting files across Windows and Linux systems using AES-256 encryption.

SentinelOne issued mitigation guidance in January 2025, urging customers to enable the “Online Authorization” feature to prevent unauthorized updates. The firm also shared its findings with other EDR providers. Stroz Friedberg recommends monitoring logs for suspicious version changes and terminated SentinelOne services to detect potential exploits early.