Three vital vulnerabilities within the Sophos Intercept X for Home windows product household might permit native attackers to realize arbitrary code execution with system-level privileges.
Recognized as CVE-2024-13972, CVE-2025-7433, and CVE-2025-7472, the issues span registry permission misconfigurations, a weak spot within the Machine Encryption element, and a problem within the Home windows installer working beneath the SYSTEM account.
Key Takeaways1. Three Excessive-severity CVEs allow native privilege escalation in Sophos Intercept X for Home windows.2. Impacts updater, Machine Encryption, and installer parts.3. Improve to the newest patched variations – no workarounds obtainable.
All three defects carry a Excessive severity ranking and have an effect on variations of Intercept X for Home windows earlier than the newest patches launched on July 17, 2025.
Organizations deploying Sophos Intercept X Endpoint or Intercept X for Server should apply updates instantly or danger unauthorized elevation of privilege and potential full system compromise.
Privilege Escalation & Code Execution Vulnerabilities
CVE-2024-13972 arises from overly permissive registry ACLs utilized by the Intercept X for Home windows updater, allowing a non-privileged consumer to change vital registry keys throughout an improve and thereby inject code that executes with SYSTEM privileges.
This native privilege escalation (LPE) vulnerability was responsibly reported by Filip Dragovic of MDSec.
Within the second challenge, CVE-2025-7433, the Machine Encryption element exposes an elevation of privilege flaw that allows an authenticated native consumer to load and run arbitrary code, bypassing meant encryption safeguards.
This defect was submitted through WatchTower by researcher Sina Kheirkhah. Lastly, CVE-2025-7472 targets the installer for Intercept X for Home windows.
When the installer runs beneath the SYSTEM context, widespread in enterprise deployments, an area actor can exploit improper file permissions to interchange or manipulate installer information and acquire system-level code execution.
Sandro Poppi reported this bug by Sophos’s bug bounty program.
CVETitleImpactCVSS 3.1 ScoreSeverityCVE-2024-13972Registry Permissions Vulnerability in Intercept X UpdaterLocal privilege escalation 7.8HIGHCVE-2025-7433Device Encryption Element Privilege EscalationArbitrary code execution with elevated privilegesNot availableHIGHCVE-2025-7472Installer Privilege Escalation VulnerabilityLocal privilege escalation Not availableHIGH
The registry ACL vulnerability CVE-2024-13972 impacts all Intercept X for Home windows installations previous to model 2024.3.2, in addition to Mounted Time period Help (FTS) 2024.3.2.23.2 and Lengthy Time period Help (LTS) 2025.0.1.1.2 releases.
CVE-2025-7433 applies to the Central Machine Encryption module in Intercept X for Home windows variations earlier than 2025.1. Prospects working FTS or LTS builds additionally require the corresponding builds of 2024.3.2.23.2 or 2025.0.1.1.2 to obtain the repair.
The installer flaw CVE-2025-7472 impacts any deployment utilizing an installer older than model 1.22 launched on March 6, 2025.
Organizations counting on default updating insurance policies that robotically set up really helpful packages will obtain patches with out extra motion. In distinction, these on fixed-term or long-term upkeep channels should carry out handbook upgrades.
Mitigations
Sophos has launched up to date packages addressing all three vulnerabilities. Intercept X for Home windows 2024.3.2 and the matched FTS/LTS department variations embrace the CVE-2024-13972 registry repair.
Machine Encryption 2025.1 and its FTS/LTS counterparts resolve CVE-2025-7433, whereas installer model 1.22, printed March 6, 2025, remediates CVE-2025-7472.
No interim workarounds can be found, so clients ought to obtain installers immediately from Sophos Central to eradicate outdated copies.
Enterprises ought to confirm that auto-update insurance policies are enabled for Really helpful packages and that any customized upkeep branches have been upgraded to the mounted releases.
Enhance detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
