Sophos, a leading cybersecurity firm, has recently addressed three critical vulnerabilities in its Intercept X for Windows product line. These flaws, identified as CVE-2024-13972, CVE-2025-7433, and CVE-2025-7472, could potentially allow local attackers to execute arbitrary code with system-level privileges, posing significant security risks to affected systems.
Overview of the Vulnerabilities
1. CVE-2024-13972: Registry Permissions Vulnerability in Intercept X Updater
This vulnerability stems from overly permissive registry Access Control Lists (ACLs) in the Intercept X for Windows updater. Such misconfigurations can enable a non-privileged user to modify critical registry keys during the product upgrade process. By exploiting this flaw, an attacker could inject malicious code that executes with SYSTEM privileges, effectively escalating their access rights. This issue was responsibly reported by Filip Dragovic of MDSec.
2. CVE-2025-7433: Device Encryption Component Privilege Escalation
The second vulnerability resides within the Device Encryption component of Intercept X for Windows. It allows an authenticated local user to load and execute arbitrary code, thereby bypassing intended encryption safeguards. This flaw was identified and reported by researcher Sina Kheirkhah through WatchTower.
3. CVE-2025-7472: Installer Privilege Escalation Vulnerability
The third issue affects the Intercept X for Windows installer. When the installer operates under the SYSTEM context—a common scenario in enterprise deployments—a local user can exploit improper file permissions to replace or manipulate installer files. This manipulation can lead to system-level code execution. Sandro Poppi reported this vulnerability via Sophos’s bug bounty program.
Impact and Severity
All three vulnerabilities have been assigned a High severity rating due to their potential to allow local privilege escalation and arbitrary code execution. The specific impacts are as follows:
– CVE-2024-13972: Local privilege escalation through registry modification during the update process.
– CVE-2025-7433: Execution of arbitrary code with elevated privileges via the Device Encryption component.
– CVE-2025-7472: Local privilege escalation by manipulating the installer running under SYSTEM privileges.
Affected Versions
The vulnerabilities affect the following versions of Intercept X for Windows:
– CVE-2024-13972: All versions prior to 2024.3.2, including Fixed Term Support (FTS) 2024.3.2.23.2 and Long Term Support (LTS) 2025.0.1.1.2 releases.
– CVE-2025-7433: Central Device Encryption module in versions before 2025.1. FTS and LTS builds require updates to 2024.3.2.23.2 or 2025.0.1.1.2 to address this issue.
– CVE-2025-7472: Any deployment using an installer version older than 1.22, released on March 6, 2025.
Remediation and Mitigation
Sophos has released updated packages to address these vulnerabilities:
– CVE-2024-13972: Resolved in Intercept X for Windows 2024.3.2 and corresponding FTS/LTS versions.
– CVE-2025-7433: Fixed in Device Encryption 2025.1 and its FTS/LTS counterparts.
– CVE-2025-7472: Addressed in installer version 1.22, published on March 6, 2025.
Organizations utilizing default updating policies that automatically install recommended packages will receive these patches without additional action. However, those on fixed-term or long-term maintenance channels must perform manual upgrades to ensure their systems are protected.
Recommendations for Organizations
1. Immediate Updates: Organizations should promptly update their Intercept X for Windows installations to the latest versions to mitigate these vulnerabilities.
2. Review Update Policies: Ensure that update policies are configured to automatically apply recommended packages, reducing the window of exposure to such vulnerabilities.
3. Monitor Systems: Regularly monitor systems for unusual activity that may indicate exploitation attempts.
4. User Education: Educate users about the importance of applying updates and recognizing potential security threats.
Conclusion
The discovery and remediation of these vulnerabilities underscore the critical importance of maintaining up-to-date software and vigilant security practices. By promptly applying the provided patches and adhering to recommended security measures, organizations can safeguard their systems against potential exploits targeting these flaws.
