Sophos Intercept X for Windows Flaws Enable Arbitrary Code Execution
Sophos has disclosed three critical security vulnerabilities in its Intercept X for Windows endpoint security solution that could allow attackers to execute arbitrary code and gain system-level privileges on affected systems.
The vulnerabilities, designated CVE-2024-13972, CVE-2025-7433, and CVE-2025-7472, all carry high severity ratings and affect different components of the security software including the updater, Device Encryption module, and installer.
Critical Vulnerabilities Discovered
The most significant of these flaws involves CVE-2024-13972, a registry permissions vulnerability in the Intercept X for Windows updater that enables local users to escalate privileges to system level during product upgrades.
| CVE ID | Severity | Description | Affected Versions |
| CVE-2024-13972 | High | Registry permissions vulnerability enabling local privilege escalation during upgrades | Prior to version 2024.3.2 |
| CVE-2025-7433 | High | Local privilege escalation allowing arbitrary code execution | Prior to version 2025.1 |
| CVE-2025-7472 | High | Local privilege escalation when installer runs as SYSTEM | Prior to version 1.22 |
This vulnerability was responsibly disclosed by Filip Dragovic of MDSec, highlighting the importance of security research collaboration between vendors and the cybersecurity community.
CVE-2025-7433 represents another serious local privilege escalation flaw discovered in the Device Encryption component of Sophos Intercept X for Windows.
This vulnerability permits arbitrary code execution and was identified by security researcher Sina Kheirkhah of watchTowr.
The flaw specifically targets the encryption functionality that many organizations rely on for data protection.
The third vulnerability, CVE-2025-7472, affects the Intercept X for Windows installer and can lead to local privilege escalation when the installer runs with SYSTEM privileges.
Security researcher Sandro Poppi discovered this flaw through Sophos’s bug bounty program, demonstrating the effectiveness of incentivized security research.
Sophos has released comprehensive fixes across multiple product versions and support tiers.
For CVE-2024-13972, patches are available in Sophos Intercept X for Windows 2024.3.2, Fixed Term Support (FTS) 2024.3.2.23.2, and Long Term Support (LTS) 2025.0.1.1.2. Organizations using default updating policies will receive these fixes automatically.
The CVE-2025-7433 vulnerability was addressed in Device Encryption 2025.1, released on July 1, 2025, with additional fixes incorporated into FTS and LTS versions.
For CVE-2025-7472, the updated installer version 1.22 became available on March 6, 2025.
Organizations must take immediate action to address these vulnerabilities. Those using automatic updates should verify their systems have received the latest patches. FTS and LTS customers must manually upgrade to receive these critical security fixes.
Additionally, any deployment using older installer versions must download the latest installer from Sophos Central to prevent exploitation of CVE-2025-7472 in new installations.
These vulnerabilities underscore the importance of maintaining current security software versions and implementing robust patch management processes across enterprise environments.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
Source link
