Norton Secure VPN Privilege Escalation via Microsoft Store (CVE-2025-58074)
A high-severity privilege escalation vulnerability, CVE-2025-58074, has been identified in Norton Secure VPN when installed via the Microsoft Store. According to the National Vulnerability Database, this flaw allows a low-privilege user to replace files during the installation process. This manipulation can lead to the deletion of arbitrary files, ultimately enabling an attacker to elevate their privileges on the affected system.
The National Vulnerability Database assigns this a CVSS score of 8.8 (HIGH), underscoring the significant risk. The root cause, categorized as CWE-1386 (Improper Neutralization of Escape, Meta, or Control Sequences), highlights a fundamental issue in how the installer handles file operations. Attackers can exploit this by injecting malicious file paths or overwriting critical system files during the vulnerable installation window.
This isn’t just a theoretical bug. It represents a clear path for an attacker who has already gained a foothold as a low-privilege user to achieve full system control. CISOs need to understand that seemingly innocuous installation processes, especially for widely used consumer software, can introduce serious enterprise-level risks if not properly secured. The attacker’s calculus here is simple: leverage a trusted application’s installation routine to bypass privilege boundaries.
What This Means For You
- If your organization's users install software from the Microsoft Store, especially VPN clients like Norton Secure VPN, you have a critical attack vector. Audit your endpoint security policies to restrict low-privilege user installations. Ensure endpoint detection and response (EDR) solutions are configured to flag suspicious file operations during software installations. This isn't about the VPN itself; it's about the installer's integrity being compromised.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2025-58074 - Norton Secure VPN Privilege Escalation via File Replacement
title: CVE-2025-58074 - Norton Secure VPN Privilege Escalation via File Replacement
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
Detects the deletion of the NortonSecurity.exe file during the Norton Secure VPN installation process, which is a key indicator of the privilege escalation vulnerability (CVE-2025-58074). A low-privilege user can exploit this by replacing the file, leading to arbitrary file deletion and potential privilege elevation.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2025-58074/
tags:
- attack.privilege_escalation
- attack.t1548.001
logsource:
category: file_event
detection:
selection:
TargetFilename|contains:
- 'C:\Program Files\Norton\Norton Security\NortonSecurity.exe'
EventType:
- 'file_delete'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2025-58074 | Privilege Escalation | Norton Secure VPN via Microsoft Store |
| CVE-2025-58074 | Privilege Escalation | File replacement during installation process |
| CVE-2025-58074 | Privilege Escalation | Arbitrary file deletion |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 17:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6266: AAP Gateway Email Auto-Link Flaw Allows Account Hijack
CVE-2026-6266 — A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP)...
CVE-2026-34032 — Apache HTTP Server: Out-of-Bounds $1
CVE-2026-34032 — Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade...
CVE-2026-33857 — Apache HTTP Server: Out-of-Bounds $1
CVE-2026-33857 — Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to...