We’ve identified a potential vulnerability in scenarios where an attacker gains access to a system and reboots it into Safe Mode. During Safe Mode, we noticed that Cisco Secure Endpoint (AMP) appears disabled, which could leave the system exposed and allow malicious activity to run without interference.

On other systems where we use Sentinel One or Sophos, these kinds of attacks are more restricted. They offer:

• Safe Mode Reboot Prevention – where Safe Mode can be blocked or controlled via policy.

• Strong Tamper Protection – to prevent unauthorized changes even pre-boot or in Safe Mode scenarios.

We contacted Cisco TAC about this, and they confirmed that Secure Endpoint doesn’t currently support staying active in Safe Mode, nor is there a policy to block Safe Mode reboots. This behavior is by design to support diagnostics.

It would be great if Cisco could consider adding options like:

• Safe Mode Persistence (so the agent remains active),

• Reboot control via policy, or

• At least alerting when a system boots into Safe Mode.

This would help improve protection against modern attack techniques that rely on Safe Mode to disable endpoint security.