Norton Secure VPN Privilege Escalation Vulnerability (CVE-2025-58074)

CVE-2025-58074 describes a privilege escalation vulnerability affecting Norton Secure VPN when installed through the Microsoft Store. A low-privilege local user can exploit this vulnerability by manipulating files during the installation process. Successful exploitation can lead to arbitrary file deletion and, more critically, elevation of privileges on the affected system. This vulnerability poses a significant risk as it could allow an attacker to gain unauthorized access and control over a system. The vulnerability was reported by Talos and assigned a CVSS v3.1 score of 8.8 (HIGH).

Attack Chain

1. A low-privilege user initiates the installation of Norton Secure VPN from the Microsoft Store.
2. During the installation process, the user leverages their limited privileges to identify a directory or file that will be created/modified by the installer.
3. The user replaces a legitimate file or creates a junction point/mount point to a protected system directory.
4. The installer, running with elevated privileges, attempts to write data to the replaced file or the target of the junction/mount point.
5. Due to the replaced file or manipulated directory, the installer inadvertently deletes arbitrary files in a protected location or writes malicious content to a privileged location.
6. This malicious file or manipulated registry key is then executed or utilized by a privileged process.
7. The attacker gains elevated privileges on the system.

Impact

Successful exploitation of CVE-2025-58074 allows a low-privilege user to escalate their privileges to SYSTEM. This could lead to complete compromise of the affected system, including unauthorized access to sensitive data, installation of malware, and modification of system configurations. The impact is significant, as it bypasses standard security controls and allows for persistent and potentially undetectable access.

Recommendation

• Monitor for suspicious file modifications during software installations, especially those originating from the Microsoft Store. Use the “Detect Suspicious File Replacement During Installation” Sigma rule to detect file replacements in common installation directories.
• Implement strict access control policies to limit the ability of low-privilege users to modify system files or directories.
• Investigate any alerts generated by the “Detect Insecure Junction Point Creation” Sigma rule, which identifies the creation of junction points by non-administrator users.