How ZeroPath Works
Back to Blog

Cracking the Shell: CVE-2025-7433 Local Privilege Escalation in Sophos Intercept X for Windows

A deep technical analysis of CVE-2025-7433, a high-severity local privilege escalation flaw in Sophos Intercept X for Windows with Central Device Encryption. Discover how insecure deserialization (CWE-502) enables arbitrary code execution, which versions are at risk, and exactly how to patch.
CVE Analysis

8 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-17

Cracking the Shell: CVE-2025-7433 Local Privilege Escalation in Sophos Intercept X for Windows

Cracking the Shell: CVE-2025-7433 Local Privilege Escalation in Sophos Intercept X for Windows

Introduction

A single local exploit can turn an endpoint security solution from a shield into a launchpad for attackers. That’s the real-world impact of CVE-2025-7433—a high-severity flaw in Sophos Intercept X for Windows with Central Device Encryption. This vulnerability lets any local user, or malware with a foothold, escalate privileges and execute arbitrary code as SYSTEM, effectively bypassing all endpoint security controls and potentially exposing sensitive data or disabling encryption entirely.

About Sophos: Sophos is a global leader in endpoint security, protecting hundreds of thousands of organizations and millions of endpoints worldwide. Their Intercept X suite is a flagship product, widely deployed in enterprises and SMBs alike, known for advanced threat protection and device encryption. A vulnerability in this ecosystem has wide-reaching implications for business, government, and critical infrastructure.

Technical Information

CVE-2025-7433 is rooted in a deserialization of untrusted data vulnerability (CWE-502) within Sophos Intercept X for Windows with Central Device Encryption, specifically affecting versions prior to 2025.1 (NVD, Sophos Advisory). The flaw exists in the way the encryption service processes serialized input—such as configuration data, policy objects, or inter-process messages—without proper validation or type checking.

When a local attacker (or malware running as a low-privileged user) supplies a crafted serialized payload to the vulnerable service, the service deserializes the object without sufficient safeguards. This enables the attacker to trigger arbitrary code execution in the context of SYSTEM, the highest privilege level on Windows. The attack does not require administrative rights to initiate, only local access to the endpoint.

Attack Vector:

  • The attacker must have local access, either via a compromised user account or malware already present on the system.
  • By crafting a malicious .NET serialization payload (for example, using known gadget chains such as TypeConfuseDelegate), the attacker targets the vulnerable deserialization routine in the encryption service.
  • When the service processes this payload—potentially during policy reloads, configuration updates, or IPC—the malicious code is executed with SYSTEM privileges.

Key Technical Points:

  • CWE-502: Deserialization of untrusted data is a well-known class of vulnerability, especially dangerous in services running with high privileges.
  • No Remote Exploit: The flaw is not remotely exploitable; it requires local access.
  • Arbitrary Code Execution: Successful exploitation means the attacker can run any code as SYSTEM, including disabling security controls, extracting keys, or installing persistent malware.

No vulnerable code snippets or detailed PoC are publicly available as of this writing, but the vulnerability is confirmed to be in the deserialization logic of the Central Device Encryption component.

Patch Information

Sophos has addressed CVE-2025-7433 (alongside related LPE vulnerabilities) in the following versions:

  • Intercept X for Windows FTS 2024.3.2 and newer
  • Intercept X for Windows LTS 2024.1.1.50 and newer

Customers using the default update policy will receive these updates automatically. Manual upgrades are required for systems on older or unsupported versions. After updating, verify the installed version in the Sophos Central Admin Console to ensure protection.

Reference: Sophos Security Advisory

Affected Systems and Versions

  • Product: Sophos Intercept X for Windows with Central Device Encryption
  • Affected Versions: All versions prior to 2025.1
  • Fixed Versions:
    • Intercept X for Windows FTS 2024.3.2 and newer
    • Intercept X for Windows LTS 2024.1.1.50 and newer
  • Vulnerable Configurations: Any deployment running a version older than those listed above, regardless of update channel or policy.

Vendor Security History

Sophos has previously addressed similar vulnerabilities in its encryption modules, including CVE-2024-8885 (arbitrary file write, also leading to privilege escalation). The vendor has a strong track record of responsible disclosure, collaborating with external researchers and releasing timely patches—typically within industry-standard response windows. Sophos publicly credits researchers and maintains detailed advisories for transparency.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss

Get startedBook a demo