CVE-2025-7472
📋 TL;DR
A local privilege escalation vulnerability in Sophos Intercept X for Windows installer allows local users to gain SYSTEM-level privileges when the installer runs with elevated permissions. This affects organizations using vulnerable versions of Sophos Intercept X for Windows. Attackers with local access can exploit this to gain complete control of affected systems.
💻 Affected Systems
- Sophos Intercept X for Windows
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access gains SYSTEM privileges, enabling complete system compromise, persistence installation, credential theft, and lateral movement across the network.
Likely Case
Malicious insiders or attackers who have gained initial foothold escalate privileges to SYSTEM, allowing them to disable security controls, install malware, or access sensitive data.
If Mitigated
With proper access controls and least privilege principles, the attack surface is reduced, though the vulnerability still exists in vulnerable software versions.
🎯 Exploit Status
Exploitation requires local access and the installer to run as SYSTEM. The CWE-427 (Uncontrolled Search Path Element) suggests path manipulation may be involved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.22 or later
Vendor Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20250717-cix-lpe
Restart Required: Yes
Instructions:
1. Download Sophos Intercept X for Windows version 1.22 or later from Sophos Central or vendor portal. 2. Run the installer with administrative privileges. 3. Follow on-screen installation prompts. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Restrict installer execution
windowsPrevent unauthorized users from running the Sophos Intercept X installer with elevated privileges.
Use Group Policy or endpoint protection to restrict execution of Sophos installer files by non-administrative users
Implement least privilege
windowsEnsure users operate with minimal necessary privileges to reduce attack surface.
Configure User Account Control (UAC) to highest setting
Use standard user accounts for daily operations
🧯 If You Can't Patch
- Monitor for unauthorized attempts to run Sophos installer with elevated privileges using endpoint detection tools.
- Segment networks to limit lateral movement in case of successful privilege escalation.
🔍 How to Verify
Check if Vulnerable:
Check Sophos Intercept X version in Windows Programs and Features or via Sophos Central dashboard. Versions prior to 1.22 are vulnerable.Check Version:
wmic product where "name like 'Sophos Intercept X%'" get versionVerify Fix Applied:
Confirm Sophos Intercept X version is 1.22 or later in Programs and Features or Sophos Central. Verify no unauthorized privilege escalation attempts in security logs.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing Sophos installer running as SYSTEM by non-administrative users
- UAC elevation prompts for Sophos installer from unexpected users
Network Indicators:
- Unusual outbound connections from systems after Sophos installer execution
SIEM Query:
source="Windows Security" AND event_id=4688 AND process_name="*Sophos*" AND user_name!="SYSTEM" AND integrity_level="High"