Overview
Sophos has resolved three independent security vulnerabilities in Sophos Endpoint and Workload Protection for Windows and the installer.
CVE-2025-7472
Customers using old versions of the installer to actively deploy endpoints and servers are required to download the latest installer from Sophos Central.
All other issues
There is no action required for customers using the default updating policy, as updates for Recommended packages are installed automatically by default.
Customers using Fixed Term Support (FTS) or Long Term Support (LTS) packages are required to upgrade to receive these fixes. See below for details.
| CVE ID | Description | Severity |
|---|---|---|
| CVE-2024-13972 | A vulnerability related to registry permissions in the Sophos Endpoint and Workload Protection for Windows updater can lead to a local user gaining system level privileges during a product upgrade. The issue was discovered and responsibly disclosed to Sophos by an external security researcher. Sophos would like to thank Filip Dragovic of MDSec (https://www.mdsec.co.uk/) for responsibly disclosing the issue to Sophos. | HIGH |
| CVE-2025-7433 | A local privilege escalation vulnerability, allowing arbitrary code execution, was discovered in the Sophos Device Encryption component for Windows. The issue was discovered and responsibly disclosed to Sophos by an external security researcher. Sophos would like to thank Sina Kheirkhah (@SinSinology) of watchTowr (https://watchtowr.com/) for responsibly disclosing the issue to Sophos. | HIGH |
| CVE-2025-7472 | A local privilege escalation vulnerability in the Sophos Endpoint and Workload Protection for Windows installer can lead to a local user gaining system level privileges, if the installer is run as SYSTEM. The issue was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. Sophos would like to thank Sandro Poppi (https://medium.com/@spoppi) for responsibly disclosing the issue to Sophos. | HIGH |
Applies to the following Sophos product(s) and version(s)
- CVE-2024-13972:
- Sophos Endpoint and Workload Protection for Windows prior to Core Agent version 2024.3.2
- CVE-2025-7433:
- Sophos Central Device Encryption prior to version 2025.1
- CVE-2025-7472
- Sophos Endpoint and Workload Protection for Windows Installer prior to version 1.22
Remediation
- Ensure you are running a supported version
- CVE-2024-13972:
- Fix included in Sophos Core Agent for Windows 2024.3.2
- Fix included in Windows computer FTS 2024.3.2.23.2
- Fix included in Windows computer LTS 2025.0.1.1.2
- Fix included in Windows Server FTS 2024.3.2.23.2
- Fix included in Windows Server LTS 2025.0.1.1.2
- CVE-2025-7433:
- Fix included in Sophos Device Encryption 2025.1 on July 1, 2025
- Fix included in Windows computer FTS 2024.3.2.23.2
- Fix included in Windows computer LTS 2025.0.1.1.2
- Users of older versions of Sophos Endpoint and Workload Protection for Windows are required to upgrade to receive the latest protections, and these fixes
CVE-2025-7472
- Fix included in Sophos Endpoint and Workload Protection for Windows Installer 1.22 on March 6, 2025
- To no longer be affected by this issue in new deployments, users are required to replace any copy of the installer with a copy downloaded from Sophos Central after March 6, 2025
Related information
- https://www.cve.org/CVERecord?id=CVE-2024-13972
- https://www.cve.org/CVERecord?id=CVE-2025-7433
- https://www.cve.org/CVERecord?id=CVE-2025-7472
Change Log
- 2025-07-17: Initial version
- 2025-08-03: Clarified that CVE-2024-13972 is fixed in the Core Agent
- 2025-08-06: Updated product name to Sophos Endpoint and Workload Protection instead of Intercept X