Sophos Intercept X Updater LPE: Dissecting CVE-2024-13972’s Registry Permission Flaw
Introduction
A single misconfigured registry key can turn a trusted endpoint security product into a launchpad for full system compromise. That’s the real-world impact of CVE-2024-13972—a critical local privilege escalation (LPE) flaw in Sophos Intercept X for Windows, disclosed in July 2025. In enterprise and education environments where unprivileged users share workstations, this vulnerability could allow an attacker to seize SYSTEM-level control during a routine product upgrade, bypassing the very protections meant to defend the endpoint.
About Sophos and Intercept X
Sophos is a major global cybersecurity vendor, with millions of endpoints protected worldwide and a strong presence in both enterprise and SMB markets. Intercept X for Windows is their flagship endpoint protection product, widely deployed for its advanced exploit prevention and ransomware mitigation capabilities. The security of its update mechanism is foundational to the trust placed in the product by organizations across critical sectors.
Technical Information
CVE-2024-13972 is rooted in the way the Intercept X for Windows updater handled Windows registry permissions prior to version 2024.3.2. During product upgrades, the updater created or modified certain registry keys with access control lists (ACLs) that were too permissive. Specifically, these ACLs allowed standard (non-administrative) local users to modify registry values or subkeys that influence the upgrade process.
This misconfiguration opened a path for local attackers to escalate privileges:
- Attackers with local access could identify the vulnerable registry keys created or modified by the updater during an upgrade.
- By altering these keys—such as redirecting a path or injecting malicious data—they could influence the behavior of the updater, which runs with SYSTEM privileges.
- On the next upgrade, the updater would process the attacker’s changes, executing code or commands with full system rights.
This attack vector is reminiscent of previous Windows LPE vulnerabilities where registry misconfigurations allowed non-admins to hijack privileged processes (8). In this case, the flaw is specific to the Intercept X for Windows updater’s handling of registry ACLs during upgrades, and does not require administrative rights to exploit—only local access to the affected system (15, 9, 17).
No vulnerable code snippets or PoC details have been published by the vendor or researcher. The root cause is the updater’s failure to restrict registry key modification to only trusted accounts (such as SYSTEM or TrustedInstaller), leaving a window for local users to tamper with upgrade-related configuration.
Patch Information
Sophos has addressed CVE-2024-13972 (along with CVE-2025-7433 and CVE-2025-7472) by releasing updates that harden registry permissions and correct the underlying flaw. The fixed versions are:
- Sophos Intercept X for Windows FTS 2025.2.3.9.2 and newer
- Sophos Intercept X for Windows LTS 2025.1.0.45 and newer
Customers using the default updating policy will receive these updates automatically. Those on Fixed Term Support (FTS) or Long Term Support (LTS) packages must manually upgrade to the specified versions to ensure protection (15).
Detection Methods
Sophos Intercept X for Windows incorporates several mechanisms to detect and mitigate local privilege escalation attempts, including those exploiting registry misconfigurations:
- Event Log Monitoring: Application Event Logs can be filtered by Event ID 911 to spot suspicious activity related to exploit prevention (community.sophos.com).
- Exploit Prevention Signatures: Sophos uses exploit prevention signatures to identify and block known LPE techniques.
- Behavioral Analysis: The product monitors for unusual process and registry activity that may indicate exploitation attempts.
- Regular Updates: Keeping Sophos Intercept X up to date ensures the latest detection and prevention capabilities are in place (sophos.com).
Affected Systems and Versions
The vulnerability affects Sophos Intercept X for Windows in the following configurations:
- All versions prior to FTS 2025.2.3.9.2
- All versions prior to LTS 2025.1.0.45
Systems running these versions, especially in environments where local users have access but lack administrative rights, are at risk. The flaw is present during the product upgrade process, making upgrade windows particularly sensitive.
Vendor Security History
Sophos has a mature vulnerability disclosure and patch process, with a track record of timely advisories and coordinated releases. However, registry permission issues have surfaced in previous advisories, such as CVE-2024-8885 and others affecting updater and configuration components (7, 15). The recurrence of LPE vulnerabilities tied to registry handling suggests an area for ongoing architectural improvement, but the vendor’s transparency and researcher acknowledgments reflect a strong security culture.
References
- NVD Entry for CVE-2024-13972
- Sophos Security Advisory: sophos-sa-20250717-cix-lpe
- SecAlerts: CVE-2024-13972
- Sophos Exploit Prevention Event Types
- Sophos Advisory: sophos-sa-20241002-cde-lpe
Source: This report was created using AI
If you have suggestions for improvement or feedback, please reach out to us at [email protected]