A high-severity vulnerability has been identified in multiple Sophos products, including Sophos Intercept X for Windows. This flaw, designated CVE-2025-7433, allows a local attacker with standard user access to gain full administrative privileges on the affected system. Successful exploitation could lead to a complete compromise of the endpoint, allowing an attacker to disable security controls, steal sensitive data, and install malicious software.

This is a local privilege escalation (LPE) vulnerability. An authenticated, low-privileged user can exploit a flaw in a high-privilege component of the Sophos agent. The vulnerability likely stems from improper permission handling or input validation within a service running with SYSTEM-level privileges. An attacker could craft a specific request or executable that, when processed by the vulnerable Sophos service, would execute arbitrary code with the same elevated permissions, effectively granting the attacker full administrative control over the machine.

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation allows an attacker to escalate from a standard user to a full system administrator, completely bypassing the endpoint's security posture. The business impact is significant, as a compromised endpoint can lead to the loss of confidentiality, integrity, and availability. Specific risks include the deployment of ransomware, exfiltration of sensitive corporate or customer data protected by Sophos Central Device Encryption, and the ability for an attacker to use the compromised machine as a pivot point to move laterally across the network.

Immediate Action:

• Patch Immediately: Deploy the patched version of the affected Sophos software to all endpoints as a top priority. This is the only way to fully eliminate the vulnerability.
• Review Permissions: Conduct an audit of user account privileges on all endpoints. Enforce the principle of least privilege to ensure standard users do not have unnecessary rights, reducing the initial attack surface.

Proactive Monitoring:

• Monitor Windows Security Event Logs for anomalous privilege escalation events (e.g., Event ID 4672: Special privileges assigned to new logon).
• Use a SIEM or EDR solution to create detection rules for suspicious processes being spawned by Sophos services (e.g., Sophos*.exe launching cmd.exe, powershell.exe, or other unexpected executables).
• Monitor for any unauthorized attempts to stop or tamper with Sophos services or directories.

Compensating Controls:

• If patching cannot be performed immediately, implement strict application control (whitelisting) to prevent the execution of unauthorized code that could be used to trigger the exploit.
• Enhance endpoint monitoring with a focus on the specific behaviors outlined in the "Proactive Monitoring" section.
• Ensure robust network segmentation to limit an attacker's ability to pivot from a compromised endpoint to more critical assets.

Public Exploit Available: false

Given the high severity (CVSS 8.8) and the critical function of the affected software, this vulnerability poses a significant risk to the organization. A successful exploit grants an attacker complete control over an endpoint, neutralizing the security protections Sophos is intended to provide. We strongly recommend that the vendor-supplied patches be applied to all affected systems with the utmost urgency. Patching should be treated as the primary remediation action. While this CVE is not yet on the CISA KEV list, its severity warrants immediate action to prevent potential future exploitation.