Critical Vulnerabilities in Sophos Intercept X for Windows Allow Arbitrary Code Execution

Sophos has disclosed three high-severity security vulnerabilities in its Intercept X for Windows endpoint protection software that could allow local attackers to gain system-level privileges and execute arbitrary code.

The cybersecurity company released patches for all three vulnerabilities on July 17, 2025, following responsible disclosure by external security researchers.

The vulnerabilities, assigned CVE-2024-13972, CVE-2025-7433, and CVE-2025-7472, affect different components of the Sophos Intercept X ecosystem and pose significant risks to enterprise security infrastructure.

Each vulnerability carries a “HIGH” severity rating and enables local privilege escalation attacks that could compromise entire Windows systems.

The three critical vulnerabilities include:

• CVE-2024-13972: A registry permissions vulnerability in the Intercept X for Windows updater component that allows local users to escalate privileges to system level during product upgrades, potentially giving attackers complete control over affected machines. This vulnerability affects all versions of Sophos Intercept X for Windows prior to version 2024.3.2, impacting both endpoint and server deployments across enterprise environments.
  
• CVE-2025-7433: A local privilege escalation vulnerability targeting the Device Encryption component of Sophos Intercept X for Windows that enables arbitrary code execution, allowing attackers to bypass security controls and execute malicious payloads with elevated privileges. The vulnerability affects Central Device Encryption versions prior to 2025.1, which was patched on July 1, 2025.
  
• CVE-2025-7472: A privilege escalation vulnerability affecting the Intercept X for Windows installer itself, creating a pathway for attackers when the installer runs with SYSTEM privileges. This vulnerability particularly concerns organizations actively deploying new endpoint and server installations using outdated installer packages.

Vulnerabilities in Sophos Intercept X

The discovery of these vulnerabilities highlights the critical role of external security researchers in identifying enterprise software vulnerabilities .

Filip Dragovic of MDSec identified and responsibly disclosed CVE-2024-13972, demonstrating the registry permissions weakness in the updater mechanism.

Sophos publicly acknowledged Dragovic’s contribution to improving the security posture of their endpoint protection platform.

Sina Kheirkhah of watchTowr, operating under the handle @SinSinology, discovered the Device Encryption vulnerability CVE-2025-7433.

This researcher’s work uncovered the arbitrary code execution pathway within the encryption component, a critical finding given the sensitive nature of device encryption in enterprise security frameworks.

Sandro Poppi identified CVE-2025-7472 through Sophos’s bug bounty program, revealing the installer vulnerability that could compromise new deployments.

The discovery through the bug bounty program demonstrates the effectiveness of incentivized security research in identifying critical software vulnerabilities before malicious exploitation.

Urgent Remediation Steps

Organizations using Sophos Intercept X for Windows must take immediate action to address these vulnerabilities.

Sophos has released updated versions including Intercept X for Windows FTS 2024.3.2.23.2 and LTS 2025.0.1.1.2 that address all identified vulnerabilities.

Customers using default updating policies will receive automatic updates for Recommended packages, ensuring protection against CVE-2024-13972 and CVE-2025-7433 without manual intervention.

However, customers using Fixed Term Support (FTS) or Long Term Support (LTS) packages must manually upgrade to receive these critical security fixes.

For CVE-2025-7472, organizations must download the latest installer version 1.22 from Sophos Central, replacing any installer copies downloaded before March 6, 2025.

This step is crucial for preventing privilege escalation during new endpoint deployments and ensuring secure installation processes across enterprise networks.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.