Skip to main content

CVE-2025-7472: CWE-427 Uncontrolled Search Path Element in Sophos Sophos Intercept X for Windows Installer

High
VulnerabilityCVE-2025-7472cvecve-2025-7472cwe-427
Published: Thu Jul 17 2025 (07/17/2025, 18:53:29 UTC)
Source: CVE Database V5
Vendor/Project: Sophos
Product: Sophos Intercept X for Windows Installer

Description

A local privilege escalation vulnerability in the Intercept X for Windows installer prior version 1.22 can lead to a local user gaining system level privileges, if the installer is run as SYSTEM.

AI-Powered Analysis

AILast updated: 07/17/2025, 19:16:12 UTC

Technical Analysis

CVE-2025-7472 is a local privilege escalation vulnerability identified in Sophos Intercept X for Windows Installer versions prior to 1.22. This vulnerability allows a local user to escalate their privileges to system level if the installer is executed with SYSTEM privileges. The vulnerability arises from improper handling of privilege boundaries within the installer process, enabling an attacker with limited local access to gain full control over the affected system. The CVSS v3.1 base score is 7.5, indicating a high severity level. The vector string (CVSS:3.1/S:C/C:H/I:H/A:H/AV:L/AC:H/PR:L/UI:R) reveals that the attack requires local access (AV:L), with high attack complexity (AC:H), low privileges (PR:L), and user interaction (UI:R). Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the system. There are no known exploits in the wild at the time of publication, and no patches or mitigations have been explicitly linked yet. The vulnerability specifically targets the Windows installer component of Sophos Intercept X, a widely used endpoint protection product. Given that the installer must be run as SYSTEM for exploitation, scenarios such as scheduled tasks, automated deployment, or other administrative operations that invoke the installer with elevated privileges are the primary risk vectors. This vulnerability is critical because it undermines the security guarantees of a security product itself, potentially allowing attackers to bypass endpoint protections and gain persistent, high-level access to the system.

Potential Impact

For European organizations, the impact of CVE-2025-7472 can be significant, especially for enterprises and public sector entities relying on Sophos Intercept X for endpoint security. Successful exploitation could allow an attacker with local access—such as an insider threat, a compromised user account, or malware with limited privileges—to escalate to SYSTEM privileges, thereby disabling security controls, installing persistent malware, or exfiltrating sensitive data. This could lead to widespread compromise of corporate networks, disruption of critical services, and exposure of personal data protected under GDPR. The high integrity and availability impact means that attackers could manipulate or destroy data and disrupt operations, which is particularly critical for sectors like finance, healthcare, and government. Additionally, since the vulnerability affects the installer, organizations using automated deployment tools or remote management systems that run the installer with SYSTEM privileges are at elevated risk. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes public knowledge.

Mitigation Recommendations

European organizations should prioritize the following mitigation steps: 1) Immediately verify the version of Sophos Intercept X for Windows installed and upgrade to version 1.22 or later once available. 2) Until patches are released, restrict local user access on endpoints, especially limiting the ability to execute installers or run processes with SYSTEM privileges. 3) Review and harden deployment and update mechanisms to ensure installers are not run unnecessarily with SYSTEM privileges or by untrusted users. 4) Implement strict application whitelisting and endpoint detection to monitor for unauthorized installer executions or privilege escalation attempts. 5) Conduct thorough audits of local user permissions and remove unnecessary administrative rights. 6) Employ enhanced logging and alerting for installer executions and privilege escalations to enable rapid detection. 7) Coordinate with Sophos support for any interim workarounds or hotfixes. These targeted actions go beyond generic advice by focusing on controlling installer execution contexts and minimizing local privilege abuse vectors.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Sophos
Date Reserved
2025-07-11T12:33:46.311Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68794876a83201eaace83485

Added to database: 7/17/2025, 7:01:10 PM

Last enriched: 7/17/2025, 7:16:12 PM

Last updated: 8/15/2025, 11:37:56 PM

Views: 28

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats