CVE-2025-7472 is a local privilege escalation vulnerability identified in Sophos Intercept X for Windows Installer versions prior to 1.22. This vulnerability allows a local user to escalate their privileges to system level if the installer is executed with SYSTEM privileges. The vulnerability arises from improper handling of privilege boundaries within the installer process, enabling an attacker with limited local access to gain full control over the affected system. The CVSS v3.1 base score is 7.5, indicating a high severity level. The vector string (CVSS:3.1/S:C/C:H/I:H/A:H/AV:L/AC:H/PR:L/UI:R) reveals that the attack requires local access (AV:L), with high attack complexity (AC:H), low privileges (PR:L), and user interaction (UI:R). Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the system. There are no known exploits in the wild at the time of publication, and no patches or mitigations have been explicitly linked yet. The vulnerability specifically targets the Windows installer component of Sophos Intercept X, a widely used endpoint protection product. Given that the installer must be run as SYSTEM for exploitation, scenarios such as scheduled tasks, automated deployment, or other administrative operations that invoke the installer with elevated privileges are the primary risk vectors. This vulnerability is critical because it undermines the security guarantees of a security product itself, potentially allowing attackers to bypass endpoint protections and gain persistent, high-level access to the system.

For European organizations, the impact of CVE-2025-7472 can be significant, especially for enterprises and public sector entities relying on Sophos Intercept X for endpoint security. Successful exploitation could allow an attacker with local access—such as an insider threat, a compromised user account, or malware with limited privileges—to escalate to SYSTEM privileges, thereby disabling security controls, installing persistent malware, or exfiltrating sensitive data. This could lead to widespread compromise of corporate networks, disruption of critical services, and exposure of personal data protected under GDPR. The high integrity and availability impact means that attackers could manipulate or destroy data and disrupt operations, which is particularly critical for sectors like finance, healthcare, and government. Additionally, since the vulnerability affects the installer, organizations using automated deployment tools or remote management systems that run the installer with SYSTEM privileges are at elevated risk. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes public knowledge.

European organizations should prioritize the following mitigation steps: 1) Immediately verify the version of Sophos Intercept X for Windows installed and upgrade to version 1.22 or later once available. 2) Until patches are released, restrict local user access on endpoints, especially limiting the ability to execute installers or run processes with SYSTEM privileges. 3) Review and harden deployment and update mechanisms to ensure installers are not run unnecessarily with SYSTEM privileges or by untrusted users. 4) Implement strict application whitelisting and endpoint detection to monitor for unauthorized installer executions or privilege escalation attempts. 5) Conduct thorough audits of local user permissions and remove unnecessary administrative rights. 6) Employ enhanced logging and alerting for installer executions and privilege escalations to enable rapid detection. 7) Coordinate with Sophos support for any interim workarounds or hotfixes. These targeted actions go beyond generic advice by focusing on controlling installer execution contexts and minimizing local privilege abuse vectors.