CVE-2025-7472: CWE-427 Uncontrolled Search Path Element in Sophos Sophos Intercept X for Windows Installer
A local privilege escalation vulnerability in the Intercept X for Windows installer prior version 1.22 can lead to a local user gaining system level privileges, if the installer is run as SYSTEM.
AI Analysis
Technical Summary
CVE-2025-7472 is a local privilege escalation vulnerability identified in Sophos Intercept X for Windows Installer versions prior to 1.22. This vulnerability allows a local user to escalate their privileges to system level if the installer is executed with SYSTEM privileges. The vulnerability arises from improper handling of privilege boundaries within the installer process, enabling an attacker with limited local access to gain full control over the affected system. The CVSS v3.1 base score is 7.5, indicating a high severity level. The vector string (CVSS:3.1/S:C/C:H/I:H/A:H/AV:L/AC:H/PR:L/UI:R) reveals that the attack requires local access (AV:L), with high attack complexity (AC:H), low privileges (PR:L), and user interaction (UI:R). Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the system. There are no known exploits in the wild at the time of publication, and no patches or mitigations have been explicitly linked yet. The vulnerability specifically targets the Windows installer component of Sophos Intercept X, a widely used endpoint protection product. Given that the installer must be run as SYSTEM for exploitation, scenarios such as scheduled tasks, automated deployment, or other administrative operations that invoke the installer with elevated privileges are the primary risk vectors. This vulnerability is critical because it undermines the security guarantees of a security product itself, potentially allowing attackers to bypass endpoint protections and gain persistent, high-level access to the system.
Potential Impact
For European organizations, the impact of CVE-2025-7472 can be significant, especially for enterprises and public sector entities relying on Sophos Intercept X for endpoint security. Successful exploitation could allow an attacker with local access—such as an insider threat, a compromised user account, or malware with limited privileges—to escalate to SYSTEM privileges, thereby disabling security controls, installing persistent malware, or exfiltrating sensitive data. This could lead to widespread compromise of corporate networks, disruption of critical services, and exposure of personal data protected under GDPR. The high integrity and availability impact means that attackers could manipulate or destroy data and disrupt operations, which is particularly critical for sectors like finance, healthcare, and government. Additionally, since the vulnerability affects the installer, organizations using automated deployment tools or remote management systems that run the installer with SYSTEM privileges are at elevated risk. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes public knowledge.
Mitigation Recommendations
European organizations should prioritize the following mitigation steps: 1) Immediately verify the version of Sophos Intercept X for Windows installed and upgrade to version 1.22 or later once available. 2) Until patches are released, restrict local user access on endpoints, especially limiting the ability to execute installers or run processes with SYSTEM privileges. 3) Review and harden deployment and update mechanisms to ensure installers are not run unnecessarily with SYSTEM privileges or by untrusted users. 4) Implement strict application whitelisting and endpoint detection to monitor for unauthorized installer executions or privilege escalation attempts. 5) Conduct thorough audits of local user permissions and remove unnecessary administrative rights. 6) Employ enhanced logging and alerting for installer executions and privilege escalations to enable rapid detection. 7) Coordinate with Sophos support for any interim workarounds or hotfixes. These targeted actions go beyond generic advice by focusing on controlling installer execution contexts and minimizing local privilege abuse vectors.
Affected Countries
United Kingdom, Germany, France, Netherlands, Italy, Spain, Sweden, Belgium
CVE-2025-7472: CWE-427 Uncontrolled Search Path Element in Sophos Sophos Intercept X for Windows Installer
Description
A local privilege escalation vulnerability in the Intercept X for Windows installer prior version 1.22 can lead to a local user gaining system level privileges, if the installer is run as SYSTEM.
AI-Powered Analysis
Technical Analysis
CVE-2025-7472 is a local privilege escalation vulnerability identified in Sophos Intercept X for Windows Installer versions prior to 1.22. This vulnerability allows a local user to escalate their privileges to system level if the installer is executed with SYSTEM privileges. The vulnerability arises from improper handling of privilege boundaries within the installer process, enabling an attacker with limited local access to gain full control over the affected system. The CVSS v3.1 base score is 7.5, indicating a high severity level. The vector string (CVSS:3.1/S:C/C:H/I:H/A:H/AV:L/AC:H/PR:L/UI:R) reveals that the attack requires local access (AV:L), with high attack complexity (AC:H), low privileges (PR:L), and user interaction (UI:R). Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the system. There are no known exploits in the wild at the time of publication, and no patches or mitigations have been explicitly linked yet. The vulnerability specifically targets the Windows installer component of Sophos Intercept X, a widely used endpoint protection product. Given that the installer must be run as SYSTEM for exploitation, scenarios such as scheduled tasks, automated deployment, or other administrative operations that invoke the installer with elevated privileges are the primary risk vectors. This vulnerability is critical because it undermines the security guarantees of a security product itself, potentially allowing attackers to bypass endpoint protections and gain persistent, high-level access to the system.
Potential Impact
For European organizations, the impact of CVE-2025-7472 can be significant, especially for enterprises and public sector entities relying on Sophos Intercept X for endpoint security. Successful exploitation could allow an attacker with local access—such as an insider threat, a compromised user account, or malware with limited privileges—to escalate to SYSTEM privileges, thereby disabling security controls, installing persistent malware, or exfiltrating sensitive data. This could lead to widespread compromise of corporate networks, disruption of critical services, and exposure of personal data protected under GDPR. The high integrity and availability impact means that attackers could manipulate or destroy data and disrupt operations, which is particularly critical for sectors like finance, healthcare, and government. Additionally, since the vulnerability affects the installer, organizations using automated deployment tools or remote management systems that run the installer with SYSTEM privileges are at elevated risk. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes public knowledge.
Mitigation Recommendations
European organizations should prioritize the following mitigation steps: 1) Immediately verify the version of Sophos Intercept X for Windows installed and upgrade to version 1.22 or later once available. 2) Until patches are released, restrict local user access on endpoints, especially limiting the ability to execute installers or run processes with SYSTEM privileges. 3) Review and harden deployment and update mechanisms to ensure installers are not run unnecessarily with SYSTEM privileges or by untrusted users. 4) Implement strict application whitelisting and endpoint detection to monitor for unauthorized installer executions or privilege escalation attempts. 5) Conduct thorough audits of local user permissions and remove unnecessary administrative rights. 6) Employ enhanced logging and alerting for installer executions and privilege escalations to enable rapid detection. 7) Coordinate with Sophos support for any interim workarounds or hotfixes. These targeted actions go beyond generic advice by focusing on controlling installer execution contexts and minimizing local privilege abuse vectors.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Sophos
- Date Reserved
- 2025-07-11T12:33:46.311Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68794876a83201eaace83485
Added to database: 7/17/2025, 7:01:10 PM
Last enriched: 7/17/2025, 7:16:12 PM
Last updated: 8/18/2025, 5:38:51 AM
Views: 29
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.