Sophos Intercept X for Windows Vulnerabilities Allow Arbitrary Code Execution

Sophos has released critical patches addressing three independent local privilege escalation vulnerabilities in its Intercept X for Windows product line.

Identified as CVE-2024-13972, CVE-2025-7433, and CVE-2025-7472, each flaw could allow a low-privileged user to gain SYSTEM-level rights on a compromised host.

The fixes, embedded in Intercept X 2024.3.2 and later, as well as in the updated installer (v1.22) and Device Encryption component (v2025.1), close registry-permission, encryption-module, and installer-execution loopholes that were responsibly disclosed by external researchers.

Administrators are advised to verify endpoint and server versions and, where necessary, download the latest installer via Sophos Central to maintain full protection.

High-Severity Privilege Escalations Patched

The first vulnerability, CVE-2024-13972, stemmed from overly permissive registry ACLs in the Intercept X updater component.

A malicious local user could exploit HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\InterceptX\Trigger write access to inject rogue code during a product upgrade, effectively elevating privileges to SYSTEM.

This issue has been corrected in Sophos Intercept X for Windows 2024.3.2, as well as Fixed Term Support (FTS) and Long Term Support (LTS) branches (2024.3.2.23.2 and 2025.0.1.1.2 respectively).

In CVE-2025-7433, the Device Encryption module allowed arbitrary code execution via a local privilege escalation vector.

A crafted payload could bypass encryption-service checks, enabling unauthorized decryption or injection of unsigned drivers.

The 2025.1 release of the encryption component, shipped July 1, 2025, incorporates rigorous signature validation and sandbox-hardening logic to thwart such attacks.

The third issue, CVE-2025-7472, involved the Intercept X installer itself. When run under the SYSTEM account, the installer’s temporary folder grants were misconfigured, letting an attacker swap in a malicious DLL before execution.

Installer version 1.22, published March 6, 2025, enforces stricter folder ACLs and implements a file-existence lock to prevent unauthorized replacement of installer components.

Seamless Auto-Update and Installer Upgrades

Organizations using Sophos Central’s default updating policy require no manual intervention, as recommended packages receive these fixes automatically.

Enterprises with Fixed Term Support (FTS) or Long Term Support (LTS) editions must proactively upgrade to the patched releases.

For new deployments, customers should replace any legacy installer copies with the latest InterceptX_Installer.msi retrieved from Sophos Central.

To verify your current agent version on Windows, security teams can execute the following PowerShell snippet:

powershellGet-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "Sophos Intercept X*" } | Select-Object Name, Version

If the version is lower than 2024.3.2, initiate an in-place upgrade with:

textmsiexec /i "\\path\to\InterceptX_Installer.msi" /quiet /norestart

This command ensures that the new ACL checks and encryption safeguards are applied without user interaction.

Technical Analysis and Deployment Commands

Under the hood, CVE-2024-13972 was chiefly a misconfiguration of Windows Registry Discretionary Access Control Lists.

By revoking write permissions from non-SYSTEM accounts on the Trigger key, the patch restores the principle of least privilege. In pseudocode, the remediation can be represented as:

cRegSetKeySecurity(
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\InterceptX\Trigger,
    DACL_SECURITY_INFORMATION,
    SYSTEM_ONLY_DACL
);

For CVE-2025-7433, the updated driver loader now performs a SeDebugPrivilege check prior to importing encryption drivers, reducing the attack surface.

The installer fix for CVE-2025-7472 applies FILE_NOTIFY_CHANGE_SECURITY monitoring to detect unauthorized file swaps.

Together, these measures reinforce the endpoint’s resilience against local threats and align with Sophos’s Responsible Disclosure Policy.

Security teams should also review vulnerability management workflows to ensure the timely deployment of patches and the continuous monitoring of registry and file-system integrity.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates