A local privilege escalation vulnerability in Sophos Endpoint products for MacOS was recently discovered and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed.
Sophos would like to thank Csaba Fitzl (@theevilbit) of Offensive Security for responsibly disclosing this issue to Sophos.
The remediation prevented local users from executing arbitrary code with administrator privileges. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted.
There is no action required for customers, as updates are installed automatically by default.