What Are the Latest Sophos Intercept X for Windows Vulnerabilities and How Do They Enable Arbitrary Code Execution?
Three high-severity vulnerabilities—CVE-2024-13972, CVE-2025-7433, and CVE-2025-7472—have been discovered in Sophos Intercept X for Windows, allowing local attackers to gain system-level privileges and execute arbitrary code. These flaws affect the updater, Device Encryption, and Windows installer components. With no available workarounds, users must immediately update to the latest versions to mitigate risks of privilege escalation and system compromise.
Table of Contents
- What Are the New Sophos Intercept X Vulnerabilities?
- Who Discovered These CVEs?
- How Do These Vulnerabilities Work?
- Which Versions Are Affected?
- What Is the Risk for Enterprises?
- Are There Any Workarounds?
- How to Apply the Fixes
- Where to Download the Latest Updates?
- Why Is Timely Patching Critical?
- How to Confirm You're Safe?
- Conclusion
- Frequently Asked Questions (FAQs)
Sophos Intercept X for Windows has recently been found vulnerable to three critical flaws that can lead to arbitrary code execution with system-level privileges. These vulnerabilities—CVE-2024-13972, CVE-2025-7433, and CVE-2025-7472—affect core components such as the updater, Device Encryption, and installer, putting enterprises at serious risk of privilege escalation attacks.
What Are the New Sophos Intercept X Vulnerabilities?
Researchers discovered three serious vulnerabilities in Sophos Intercept X for Windows that could allow a local attacker to escalate privileges and execute arbitrary code. The flaws were responsibly disclosed and have since been patched.
The vulnerabilities include:
-
Misconfigured registry permissions
-
Improper handling in the Device Encryption component
-
Insecure file permissions in the Windows installer
These weaknesses affect versions of Intercept X for Windows released before the latest patch update on July 17, 2025.
Who Discovered These CVEs?
The vulnerabilities were disclosed by trusted researchers through responsible channels:
-
CVE-2024-13972 – Discovered by Filip Dragovic (MDSec)
-
CVE-2025-7433 – Reported by Sina Kheirkhah via WatchTower
-
CVE-2025-7472 – Submitted by Sandro Poppi through Sophos’s bug bounty program
How Do These Vulnerabilities Work?
CVE-2024-13972: Registry ACL Vulnerability
The updater in Sophos Intercept X used overly permissive registry ACLs, allowing a non-privileged user to modify critical registry values during an update. This allows attackers to inject malicious code executed with SYSTEM privileges.
CVE-2025-7433: Device Encryption Component Flaw
This issue lies in the Central Device Encryption module, where authenticated local users can load unsigned or arbitrary code, effectively bypassing intended encryption protections and gaining elevated access.
CVE-2025-7472: Installer Privilege Escalation
Older versions of the Sophos Windows installer run under the SYSTEM context but do not correctly restrict file permissions. This enables attackers to replace or manipulate files, resulting in code execution as SYSTEM.
Which Versions Are Affected?
Here is a breakdown of the impacted and fixed versions:
| CVE | Affected Component | Fixed Version | Impact | Severity |
|---|---|---|---|---|
| CVE-2024-13972 | Updater (Registry ACLs) | 2024.3.2, FTS 2024.3.2.23.2, LTS 2025.0.1.1.2 | Local Privilege Escalation | High |
| CVE-2025-7433 | Device Encryption Module | 2025.1, FTS/LTS builds | Arbitrary Code Execution | High |
| CVE-2025-7472 | Windows Installer | Version 1.22 (March 6, 2025) | Local Privilege Escalation | High |
What Is the Risk for Enterprises?
Enterprises using vulnerable versions of Intercept X for Windows are exposed to:
-
Unauthorized privilege escalation
-
System-level compromise
-
Failure of endpoint encryption guarantees
Even environments with hardened security policies may be affected due to default SYSTEM-level installer execution or auto-updating mechanisms that have not yet applied the latest fixes.
Are There Any Workarounds?
No, there are currently no workarounds available for these vulnerabilities. The only mitigation is to immediately install the patched versions provided by Sophos.
How to Apply the Fixes
Organizations should do the following:
-
Upgrade Intercept X to version 2024.3.2 or newer
-
Ensure Device Encryption is at version 2025.1
-
Download installer version 1.22 or later
-
Check and enable auto-update policies for Recommended packages
-
Manually update any custom FTS or LTS channels
Where to Download the Latest Updates?
The latest patched versions can be downloaded from:
-
Sophos Central (official portal)
-
Use “Recommended” or latest “Maintenance” channels for automated updates
Why Is Timely Patching Critical?
Delaying updates increases exposure to local privilege escalation (LPE) attacks that can:
-
Bypass endpoint security controls
-
Lead to full system takeover
-
Open the door for ransomware, backdoors, or further lateral movement inside corporate networks
How to Confirm You're Safe?
To verify protection:
-
Ensure all components are running the latest supported versions
-
Disable access to old installer packages
-
Audit registry permissions and installation logs
Conclusion
Sophos Intercept X for Windows vulnerabilities present a serious threat to endpoint security through local exploitation paths. Organizations relying on outdated software are highly vulnerable to privilege escalation and code execution attacks.
Security teams must act immediately to apply all relevant patches, verify update compliance, and review installer usage to ensure enterprise-wide protection.
FAQs
What are the new vulnerabilities in Sophos Intercept X for Windows?
Three vulnerabilities—CVE-2024-13972, CVE-2025-7433, and CVE-2025-7472—affect updater, encryption, and installer components.
What does CVE-2024-13972 affect in Sophos Intercept X?
It affects registry permissions in the updater, allowing local privilege escalation.
Who discovered CVE-2024-13972?
The vulnerability was reported by Filip Dragovic of MDSec.
What is CVE-2025-7433 in Sophos Intercept X?
It’s a flaw in the Device Encryption module that allows arbitrary code execution by a local user.
Who reported CVE-2025-7433?
Researcher Sina Kheirkhah reported it through WatchTower.
What is CVE-2025-7472 and how does it work?
It exploits file permissions in the installer running as SYSTEM, allowing privilege escalation.
Which version fixes CVE-2024-13972?
Sophos Intercept X version 2024.3.2 and corresponding FTS/LTS versions.
Which update addresses CVE-2025-7433?
Device Encryption version 2025.1 and relevant LTS/FTS builds.
When was the installer fix for CVE-2025-7472 released?
It was released on March 6, 2025, in version 1.22.
How serious are these Sophos vulnerabilities?
All are rated high in severity and allow local code execution with SYSTEM privileges.
Are remote attackers affected by these CVEs?
No, these vulnerabilities require local access to exploit.
Is there a workaround for these Sophos flaws?
No workarounds exist; patches must be applied.
Where can I download the fixed versions of Sophos software?
You can download them from the official Sophos Central portal.
What happens if I don’t update Sophos Intercept X?
Your systems may remain vulnerable to privilege escalation and full compromise.
Does the Sophos auto-update apply these patches?
Yes, if you're on Recommended packages with auto-updates enabled.
Do FTS or LTS users get automatic updates?
No, FTS and LTS branches require manual patching.
Can attackers gain admin access through these flaws?
Yes, they can escalate from local user to full SYSTEM-level privileges.
Should enterprises be concerned about these bugs?
Absolutely, especially if they use Intercept X in endpoint security.
What is the CVSS score for CVE-2024-13972?
It has a CVSS v3.1 score of 7.8, categorized as High severity.
Is CVE-2025-7433 publicly scored yet?
No, but it’s acknowledged as high severity by Sophos.
What kind of attacks can these vulnerabilities enable?
Privilege escalation, arbitrary code execution, and full system compromise.
How do I verify my Sophos version?
Use the Sophos Central dashboard or endpoint client to check versions.
Can I disable Device Encryption to mitigate CVE-2025-7433?
Disabling is not advised; updating to the patched version is recommended.
Do these flaws affect Intercept X for Server?
Yes, Intercept X for Server is also impacted.
Are Linux or Mac versions affected?
No, only the Windows version of Intercept X is vulnerable.
What actions has Sophos taken?
They have released patched builds, published advisories, and notified customers.
What privilege does the attacker gain using these flaws?
They gain SYSTEM-level privileges, the highest on Windows.
Can these bugs be exploited together?
Yes, they can potentially be chained for greater impact.
Do these flaws bypass antivirus protection?
Yes, since they exploit trusted system processes.
Should these CVEs be prioritized in patch management?
Yes, they should be treated as high-priority updates in any organization.
![Top 10 Ethical Hackers in the World [2025]](https://www.webasha.com/blog/uploads/images/202408/image_100x75_66c2f983c207b.webp)
![[2025] Top 100+ VAPT Interview Questions and Answers](https://www.webasha.com/blog/uploads/images/image_100x75_6512b1e4b64f7.jpg)
