Resolved Multiple Vulnerabilities in Sophos Endpoint for Windows (CVE-2024-13972, CVE-2025-7433, CVE-2025-7472)

Zurück zur Übersicht der Sicherheitshinweise
High
CVE(s)
CVE-2024-13972
CVE-2025-7433
CVE-2025-7472
Updated:
Produkt(e)
Sophos Endpoint
Veröffentlichungs-ID sophos-sa-20250717-cix-lpe
Artikelversion 3
Erstveröffentlichung
Provisorische Lösung No

Overview

Sophos has resolved three independent security vulnerabilities in Sophos Endpoint and Workload Protection for Windows and the installer.

CVE-2025-7472

Customers using old versions of the installer to actively deploy endpoints and servers are required to download the latest installer from Sophos Central.

All other issues

There is no action required for customers using the default updating policy, as updates for Recommended packages are installed automatically by default.

Customers using Fixed Term Support (FTS) or Long Term Support (LTS) packages are required to upgrade to receive these fixes. See below for details.

CVE IDDescriptionSeverity
CVE-2024-13972

A vulnerability related to registry permissions in the Sophos Endpoint and Workload Protection for Windows updater can lead to a local user gaining system level privileges during a product upgrade. The issue was discovered and responsibly disclosed to Sophos by an external security researcher.

Sophos would like to thank Filip Dragovic of MDSec (https://www.mdsec.co.uk/) for responsibly disclosing the issue to Sophos.

HIGH
CVE-2025-7433

A local privilege escalation vulnerability, allowing arbitrary code execution, was discovered in the Sophos Device Encryption component for Windows. The issue was discovered and responsibly disclosed to Sophos by an external security researcher.

Sophos would like to thank Sina Kheirkhah (@SinSinology) of watchTowr (https://watchtowr.com/) for responsibly disclosing the issue to Sophos.

HIGH
CVE-2025-7472

A local privilege escalation vulnerability in the Sophos Endpoint and Workload Protection for Windows installer can lead to a local user gaining system level privileges, if the installer is run as SYSTEM. The issue was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program.

Sophos would like to thank Sandro Poppi (https://medium.com/@spoppi) for responsibly disclosing the issue to Sophos.

HIGH

 

Applies to the following Sophos product(s) and version(s)

  • CVE-2024-13972:
    • Sophos Endpoint and Workload Protection for Windows prior to Core Agent version 2024.3.2
  • CVE-2025-7433:
    • Sophos Central Device Encryption prior to version 2025.1
  • CVE-2025-7472
    • Sophos Endpoint and Workload Protection for Windows Installer prior to version 1.22

Remediation

  • Ensure you are running a supported version
  • CVE-2024-13972:
  • CVE-2025-7433:
    • Fix included in Sophos Device Encryption 2025.1 on July 1, 2025
    • Fix included in Windows computer FTS 2024.3.2.23.2
    • Fix included in Windows computer LTS 2025.0.1.1.2
  • Users of older versions of Sophos Endpoint and Workload Protection for Windows are required to upgrade to receive the latest protections, and these fixes

CVE-2025-7472

  • Fix included in Sophos Endpoint and Workload Protection for Windows Installer 1.22 on March 6, 2025
  • To no longer be affected by this issue in new deployments, users are required to replace any copy of the installer with a copy downloaded from Sophos Central after March 6, 2025

Related information

Change Log

  • 2025-07-17: Initial version
  • 2025-08-03: Clarified that CVE-2024-13972 is fixed in the Core Agent
  • 2025-08-06: Updated product name to Sophos Endpoint and Workload Protection instead of Intercept X