{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/norton-secure-vpn/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-58074"}],"_cs_exploited":false,"_cs_products":["Norton Secure VPN"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows","vulnerability"],"_cs_type":"advisory","_cs_vendors":["NortonLifeLock","Microsoft"],"content_html":"\u003cp\u003eCVE-2025-58074 describes a privilege escalation vulnerability affecting Norton Secure VPN when installed through the Microsoft Store. A low-privilege local user can exploit this vulnerability by manipulating files during the installation process. Successful exploitation can lead to arbitrary file deletion and, more critically, elevation of privileges on the affected system. This vulnerability poses a significant risk as it could allow an attacker to gain unauthorized access and control over a system. The vulnerability was reported by Talos and assigned a CVSS v3.1 score of 8.8 (HIGH).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA low-privilege user initiates the installation of Norton Secure VPN from the Microsoft Store.\u003c/li\u003e\n\u003cli\u003eDuring the installation process, the user leverages their limited privileges to identify a directory or file that will be created/modified by the installer.\u003c/li\u003e\n\u003cli\u003eThe user replaces a legitimate file or creates a junction point/mount point to a protected system directory.\u003c/li\u003e\n\u003cli\u003eThe installer, running with elevated privileges, attempts to write data to the replaced file or the target of the junction/mount point.\u003c/li\u003e\n\u003cli\u003eDue to the replaced file or manipulated directory, the installer inadvertently deletes arbitrary files in a protected location or writes malicious content to a privileged location.\u003c/li\u003e\n\u003cli\u003eThis malicious file or manipulated registry key is then executed or utilized by a privileged process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-58074 allows a low-privilege user to escalate their privileges to SYSTEM. This could lead to complete compromise of the affected system, including unauthorized access to sensitive data, installation of malware, and modification of system configurations. The impact is significant, as it bypasses standard security controls and allows for persistent and potentially undetectable access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for suspicious file modifications during software installations, especially those originating from the Microsoft Store. Use the \u0026ldquo;Detect Suspicious File Replacement During Installation\u0026rdquo; Sigma rule to detect file replacements in common installation directories.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit the ability of low-privilege users to modify system files or directories.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Detect Insecure Junction Point Creation\u0026rdquo; Sigma rule, which identifies the creation of junction points by non-administrator users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:16:28Z","date_published":"2026-05-04T14:16:28Z","id":"/briefs/2026-05-norton-privesc/","summary":"A privilege escalation vulnerability exists in Norton Secure VPN during installation via the Microsoft Store (CVE-2025-58074), allowing a low-privilege user to replace files leading to arbitrary file deletion and potential elevation of privileges.","title":"Norton Secure VPN Privilege Escalation Vulnerability (CVE-2025-58074)","url":"https://feed.craftedsignal.io/briefs/2026-05-norton-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Norton Secure VPN","version":"https://jsonfeed.org/version/1.1"}