CVE-2025-7433
📋 TL;DR
A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption allows attackers with local access to execute arbitrary code with elevated privileges. This affects Sophos Intercept X for Windows with Central Device Encryption version 2025.1 and older. Attackers could gain SYSTEM-level access on compromised systems.
💻 Affected Systems
- Sophos Intercept X for Windows with Central Device Encryption
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full SYSTEM privileges on the host, enabling complete system compromise, data theft, persistence establishment, and lateral movement capabilities.
Likely Case
Malicious insider or malware with initial access escalates privileges to bypass security controls, disable security software, and maintain persistence.
If Mitigated
With proper endpoint controls and monitoring, exploitation attempts are detected and blocked before privilege escalation completes.
🎯 Exploit Status
Requires local access to the system. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.2 or later
Vendor Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20250717-cix-lpe
Restart Required: Yes
Instructions:
1. Open Sophos Central admin console. 2. Navigate to Global Settings > Updates. 3. Ensure endpoint updates are enabled. 4. Systems will automatically update to 2025.2+. 5. Restart affected systems after update.
🔧 Temporary Workarounds
Disable Central Device Encryption
windowsTemporarily disable the vulnerable component until patching is complete
Sophos Central: Global Settings > Encryption > Disable Central Device Encryption
🧯 If You Can't Patch
- Implement strict local access controls and monitoring on affected systems
- Deploy application whitelisting to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check Sophos Central console for endpoint version and Central Device Encryption status. Vulnerable if version is 2025.1 or older with encryption enabled.Check Version:
wmic product where name like "Sophos Intercept X" get versionVerify Fix Applied:
Verify endpoint shows version 2025.2 or later in Sophos Central console and Central Device Encryption is functioning normally.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from Sophos directories
- Failed privilege escalation attempts in Windows Event Logs
- Sophos service manipulation events
Network Indicators:
- Unexpected outbound connections from Sophos processes
- Lateral movement attempts from affected systems
SIEM Query:
source="windows" AND (process_name="*Sophos*" AND parent_process!="*Sophos*") OR (event_id=4688 AND new_process_name="*Sophos*")