BATAVIA, Ill., May 8, 2025 — High Wire Networks’ Overwatch division is proactively notifying its MSP partners about a recently resurfaced vulnerability affecting SentinelOne Windows agents. While SentinelOne has been aware of the issue since January 2025, a newly published research article has reignited concern across the security community.
The vulnerability, disclosed by Aon’s Stroz Friedberg Incident Response team, allows attackers with local administrator access to exploit the agent upgrade process using legitimate, signed SentinelOne installers. Threat actors can disable endpoint protection and deploy ransomware such as Babuk undetected by interrupting the upgrade mid-process.
SentinelOne addressed this issue earlier this year by releasing the “Local Upgrade Authorization” feature. This feature requires online approval from the SentinelOne management console before any local upgrades, downgrades, or uninstalls can proceed.
Overwatch moved immediately to reinforce this protection across all managed environments.
“I wanted to make everyone aware of a recent article that’s been circulating and causing some anxiety in the security community,” said Michael Lieder, Senior Director of Service Delivery & Products at High Wire – Overwatch. “SentinelOne has been aware of the vulnerability since January, but the renewed media attention has understandably raised concerns. Our team responded quickly — we’ve enforced Online Authorization across all S1 tenants using a bypass policy that prevents it from being disabled. We’ve also enabled a detection rule to alert us if any actor attempts to exploit this vulnerability.”
Overwatch has also engaged directly with SentinelOne to stay current on developments and ensure the highest levels of protection are maintained for partners and their customers.
Partner Talking Points & Key Actions:
- The vulnerability only applies to SentinelOne Windows agents and requires local admin access.
- Overwatch has enforced “Online Authorization” for all tenants to ensure legitimate and approved agent updates.
- A detection rule — Potential Bring Your Own Installer Exploitation — is active and monitoring for exploitation attempts.
- The bypass policy is locked and cannot be disabled by end users or local admins.
- Overwatch has already responded to partner inquiries and is actively supporting client conversations.
“This communication is designed to empower our partners to confidently address any customer concerns,” Lieder added. “We’re on top of this, and will continue monitoring, engaging with SentinelOne, and pushing out any new protections that emerge.”
References:
https://www.sentinelone.com/blog/protection-against-local-upgrade-technique-described-in-aon-research/
https://cybersecuritynews.com/threat-actor-bypass-sentinelone-edr/
About High Wire Networks
High Wire Networks, Inc. (OTCQB: HWNI) is a fast-growing, award-winning global provider of managed cybersecurity. Through over 200 channel partners, it delivers trusted managed services for more than 1,100 managed security customers worldwide. End customers include Fortune 500 companies and many of the nation’s largest government agencies.
The company’s Overwatch by High Wire Networks™ platform offers a range of subscription services for threat prevention, detection, and response, meeting the security and compliance requirements of organizations large and small. The company’s IT enablement services provide the foundation for growing its higher-margin Overwatch business.
High Wire was recently ranked by Frost & Sullivan as a Top 12 Managed Security Service Provider in the Americas. It was also named to CRN’s MSP 500 and Elite 150 lists of the nation’s top IT managed service providers.
Learn more at HighWireNetworks.com. Follow the company on X, view its extensive video series on YouTube or connect on LinkedIn.
Company Contact
Mark Porter, CEO
High Wire Networks
Tel +1 (952) 974-4000
Media Relations
Lori Aleman
Director of Marketing
High Wire Networks
O: 630-635-8477 | C: 602-920-0902
Email: lori.aleman@highwirenetworks.com
Website: www.highwirenetworks.com
