Overview
Sophos has resolved three independent security vulnerabilities in Sophos Intercept X for Windows and the installer.
CVE-2025-7472
Customers using old versions of the installer to actively deploy endpoints and servers are required to download the latest installer from Sophos Central.
All other issues
There is no action required for customers using the default updating policy, as updates for Recommended packages are installed automatically by default.
Customers using Fixed Term Support (FTS) or Long Term Support (LTS) packages are required to upgrade to receive these fixes. See below for details.
| CVE ID | Description | Severity |
|---|---|---|
| CVE-2024-13972 | A vulnerability related to registry permissions in the Intercept X for Windows updater can lead to a local user gaining system level privileges during a product upgrade. The issue was discovered and responsibly disclosed to Sophos by an external security researcher. Sophos would like to thank Filip Dragovic of MDSec (https://www.mdsec.co.uk/) for responsibly disclosing the issue to Sophos. | HIGH |
| CVE-2025-7433 | A local privilege escalation vulnerability, allowing arbitrary code execution, was discovered in the Device Encryption component of Sophos Intercept X for Windows. The issue was discovered and responsibly disclosed to Sophos by an external security researcher. Sophos would like to thank Sina Kheirkhah (@SinSinology) of watchTowr (https://watchtowr.com/) for responsibly disclosing the issue to Sophos. | HIGH |
| CVE-2025-7472 | A local privilege escalation vulnerability in the Intercept X for Windows installer can lead to a local user gaining system level privileges, if the installer is run as SYSTEM. The issue was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. Sophos would like to thank Sandro Poppi (https://medium.com/@spoppi) for responsibly disclosing the issue to Sophos. | HIGH |
Applies to the following Sophos product(s) and version(s)
- CVE-2024-13972:
- Sophos Intercept X for Windows prior to version 2024.3.2
- CVE-2025-7433:
- Sophos Intercept X for Windows Central Device Encryption prior to version 2025.1
- CVE-2025-7472
- Sophos Intercept X for Windows Installer prior to version 1.22
Remediation
- Ensure you are running a supported version
- CVE-2024-13972:
- Fix included in Sophos Intercept X for Windows 2024.3.2
- Fix included in Sophos Intercept X for Windows FTS 2024.3.2.23.2
- Fix included in Sophos Intercept X for Windows LTS 2025.0.1.1.2
- Fix included in Sophos Intercept X for Windows Server FTS 2024.3.2.23.2
- Fix included in Sophos Intercept X for Windows Server LTS 2025.0.1.1.2
- CVE-2025-7433:
- Fix included in Device Encryption 2025.1 on July 1, 2025
- Fix included in Sophos Intercept X for Windows FTS 2024.3.2.23.2
- Fix included in Sophos Intercept X for Windows LTS 2025.0.1.1.2
- Users of older versions of Sophos Intercept X for Windows are required to upgrade to receive the latest protections, and these fixes
CVE-2025-7472
- Fix included in Sophos Intercept X for Windows Installer 1.22 on March 6, 2025
- To no longer be affected by this issue in new deployments, users are required to replace any copy of the installer with a copy downloaded from Sophos Central after March 6, 2025