Three High-Severity Privilege Escalation Flaws Patched in Sophos Intercept X for Windows
Do Son 
Sophos has patched three separate high-severity local privilege escalation (LPE) vulnerabilities in its widely used Intercept X for Windows product and its installer. These flaws, identified as CVE-2024-13972, CVE-2025-7433, and CVE-2025-7472, could allow local users to gain SYSTEM-level access, posing serious risks in enterprise environments.
The first vulnerability, CVE-2024-13972, arises from misconfigured registry permissions in the Intercept X updater. This flaw enables a local user to gain elevated privileges during a product upgrade, effectively allowing code execution at the highest level. According to Sophos, “A vulnerability related to registry permissions in the Intercept X for Windows updater can lead to a local user gaining system level privileges during a product upgrade.” Security researcher Filip Dragovic of MDSec is credited with responsibly disclosing this issue. The flaw affects versions prior to Intercept X 2024.3.2.
The second vulnerability, tracked as CVE-2025-7433, was found in the Device Encryption component of Intercept X. It allows a local attacker to execute arbitrary code with SYSTEM privileges, essentially giving them full control over the endpoint. Sophos explained, “A local privilege escalation vulnerability, allowing arbitrary code execution, was discovered in the Device Encryption component.” This vulnerability was responsibly reported by Sina Kheirkhah (@SinSinology) of the cybersecurity firm watchTowr. The issue was patched in version 2025.1, which became available on July 1, 2025.
The third and final issue, CVE-2025-7472, involves a logic flaw in the Intercept X installer. If executed with SYSTEM privileges—common in enterprise deployment scenarios—the vulnerable installer could be abused by a local user to escalate their own privileges. Sophos described the risk as follows: “A local privilege escalation vulnerability in the Intercept X for Windows installer can lead to a local user gaining system level privileges, if the installer is run as SYSTEM.” Security researcher Sandro Poppi uncovered this flaw and reported it through Sophos’ bug bounty program. The vulnerability was addressed in Installer version 1.22, released on March 6, 2025.
Sophos advises all users and administrators to ensure that their Intercept X installations and associated installers are up to date. Customers using the default updating policy have already received the necessary patches automatically. However, those relying on Long Term Support (LTS) or Fixed Term Support (FTS) packages must manually upgrade to protected versions.
Related Posts:
- From CVE to PoC: A Collection Maps Windows Privilege Escalation Landscape
- Google Chrome built-in “bad” ads blocking function, triggering some dissatisfaction with advertisers
- Massive X (Twitter) Data Leak Exposes Over 200 Million User Records
- CVE-2022-2586/CVE-2022-2585/CVE-2022-2588: Linux kernel LPE flaw
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
