Sophos Intercept X for Windows Vulnerabilities Enable Arbitrary Code Execution

Three critical vulnerabilities in the Sophos Intercept X for Windows product family could allow local attackers to achieve arbitrary code execution with system-level privileges.

Identified as CVE-2024-13972, CVE-2025-7433, and CVE-2025-7472, the flaws span registry permission misconfigurations, a weakness in the Device Encryption component, and an issue in the Windows installer running under the SYSTEM account. 

Key Takeaways
1. Three High-severity CVEs enable local privilege escalation in Sophos Intercept X for Windows.
2. Affects updater, Device Encryption, and installer components.
3. Upgrade to the latest patched versions - no workarounds available.

All three defects carry a High severity rating and affect versions of Intercept X for Windows before the latest patches released on July 17, 2025. 

Organizations deploying Sophos Intercept X Endpoint or Intercept X for Server must apply updates immediately or risk unauthorized elevation of privilege and potential complete system compromise.

Privilege Escalation & Code Execution Vulnerabilities 

CVE-2024-13972 arises from overly permissive registry ACLs used by the Intercept X for Windows updater, permitting a non-privileged user to modify critical registry keys during an upgrade and thereby inject code that executes with SYSTEM privileges. 

This local privilege escalation (LPE) vulnerability was responsibly reported by Filip Dragovic of MDSec. 

In the second issue, CVE-2025-7433, the Device Encryption component exposes an elevation of privilege flaw that enables an authenticated local user to load and run arbitrary code, bypassing intended encryption safeguards. 

This defect was submitted via WatchTower by researcher Sina Kheirkhah. Lastly, CVE-2025-7472 targets the installer for Intercept X for Windows.

When the installer runs under the SYSTEM context, common in enterprise deployments, a local actor can exploit improper file permissions to replace or manipulate installer files and gain system-level code execution. 

Sandro Poppi reported this bug through Sophos’s bug bounty program.

The registry ACL vulnerability CVE-2024-13972 impacts all Intercept X for Windows installations prior to version 2024.3.2, as well as Fixed Term Support (FTS) 2024.3.2.23.2 and Long Term Support (LTS) 2025.0.1.1.2 releases. 

CVE-2025-7433 applies to the Central Device Encryption module in Intercept X for Windows versions before 2025.1. Customers running FTS or LTS builds also require the corresponding builds of 2024.3.2.23.2 or 2025.0.1.1.2 to receive the fix. 

The installer flaw CVE-2025-7472 affects any deployment using an installer older than version 1.22 released on March 6, 2025. 

Organizations relying on default updating policies that automatically install recommended packages will receive patches without additional action. In contrast, those on fixed-term or long-term maintenance channels must perform manual upgrades.

Mitigations

Sophos has released updated packages addressing all three vulnerabilities. Intercept X for Windows 2024.3.2 and the matched FTS/LTS branch versions include the CVE-2024-13972 registry fix. 

Device Encryption 2025.1 and its FTS/LTS counterparts resolve CVE-2025-7433, while installer version 1.22, published March 6, 2025, remediates CVE-2025-7472. 

No interim workarounds are available, so customers should download installers directly from Sophos Central to eliminate outdated copies. 

Enterprises should verify that auto-update policies are enabled for Recommended packages and that any custom maintenance branches have been upgraded to the fixed releases.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now