Aikido Exploit and Its Impact on SonicWall Capture Client

First Published:12/13/2022 Last Updated:12/16/2022


On December 7, 2022, a SafeBreach security researcher disclosed a vulnerability dubbed “Aikido,” with subsequent proof-of-concept (POC) exploit code that can potentially turn EDR agents running on Microsoft Windows endpoints into malicious data wipers. 

The exploit has been confirmed to work with six vulnerable EDR products, including the SentinelOne Agent for Microsoft Windows. SonicWall Capture Client leverages the SentinelOne Agent to deliver advanced endpoint protection.

The SonicWall Product Security & Incident Response Team (PSIRT) is not aware of active exploitation in the wild. While reports of a proof of concept have been made public by the SafeBreach researcher, malicious use of this vulnerability has not been reported to SonicWall.

Affected Products

The Aikido exploit affects SonicWall Capture Client users with SentinelOne Agent for Windows on all versions older than those mentioned in the workaround below.


SentinelOne has released a policy override that can be enabled on affected endpoints running versions, or to fix the vulnerability. SonicWall has already applied this policy override to all affected endpoints running SonicWall Capture Client.


SonicWall Capture Client users running SentinelOne Agent for Windows will not be affected. SonicWall has promoted this version as a SonicWall-managed release, which will trigger an automatic update for all endpoints configured with a SonicWall-managed release as part of the Client policy.

Customers managing endpoints with a Self-Managed release older than SentinelOne Agent for Windows are recommended to upgrade to the latest SonicWall-managed release for the SentinelOne Agent for Windows.

 NOTE: A reboot is required after performing the update.

SentinelOne released a Security Notice on December 9, 2022, confirming that the fix will be automatically enabled in the upcoming SentinelOne Agent for Windows 22.3 

Additional Resources