What is the CVSS score of CVE-2025-58074?

CVE-2025-58074 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Norton Secure VPN are affected by CVE-2025-58074?

Norton Secure VPN installations via Microsoft Store contain a privilege escalation vulnerability allowing any local Windows user to gain SYSTEM-level access through a race condition during the…

How to fix or mitigate CVE-2025-58074?

Within 24 hours: Identify and inventory all Norton Secure VPN installations via Microsoft Store across Windows endpoints using endpoint detection tools or SCCM. Within 7 days: Uninstall affected Norton Secure VPN versions from all systems; provide alternative VPN solutions (e.g., Windows built-in VPN, alternate vendor solutions). Contact Norton/Symantec support to confirm which versions are affected and establish a timeline for patched releases. Within 30 days: Establish a process to verify no affected versions are re-installed; once Norton releases a patched version, deploy it to all endpoints that require the product.

Norton Secure VPN CVE-2025-58074

EUVD-2025-209612 HIGH

Insecure Operation on Windows Junction / Mount Point (CWE-1386)

2026-05-04 talos

Privilege Escalation Microsoft

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 04, 2026 - 14:15 vuln.today

EUVD ID Assigned

May 04, 2026 - 13:45 euvd

EUVD-2025-209612

Analysis Generated

May 04, 2026 - 13:45 vuln.today

CVE Published

May 04, 2026 - 13:11 nvd

HIGH 8.8

DescriptionNVD

A privilege escalation vulnerability exists during the installation of Norton Secure VPN via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in deletion of arbitrary files that can lead to elevation of privileges.

AnalysisAI

Norton Secure VPN installed via Microsoft Store allows low-privilege Windows users to escalate to SYSTEM-level privileges by replacing files during the installation process, causing arbitrary file deletion. Cisco Talos discovered this TOCTOU (Time-of-Check Time-of-Use) race condition in the installer. No public exploit code or active exploitation confirmed at time of analysis, but the local attack vector with low complexity (CVSS AC:L) makes this highly exploitable once installation details are known.

Technical ContextAI

This vulnerability stems from CWE-1386 (Insecure Operation on Windows Junction/Mount Point), a class of TOCTOU race conditions specific to Windows file system operations. During Norton Secure VPN installation via Microsoft Store, the installer performs file operations with elevated privileges (likely SYSTEM context) but fails to properly validate target paths. An attacker with low-privilege local access can create junction points or mount points that redirect the installer's file operations to arbitrary locations. When the installer attempts to delete or replace files, it follows these redirected paths, enabling deletion of protected system files or replacement with attacker-controlled content. The scope change (S:C) in the CVSS vector indicates the vulnerability breaks Windows security boundaries, allowing escape from the low-privilege user context to impact the underlying system integrity.

RemediationAI

Check for updated Norton Secure VPN version from Gen Digital addressing TALOS-2025-2276. Consult the Cisco Talos advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2276 for vendor response and patch timeline. Until a confirmed fix version is released, organizations should implement the following compensating controls: restrict Microsoft Store app installation permissions to administrative users only via Group Policy (prevents low-privilege users from triggering vulnerable installation); deploy Norton Secure VPN through enterprise MSI packages or direct downloads rather than Microsoft Store if the vulnerability is package-specific; monitor and alert on unexpected file system junction or mount point creation in user-writable directories during software installations using tools like Sysmon Event ID 26 (FileDeleteDetected); consider temporarily suspending Norton Secure VPN deployments via Microsoft Store until vendor confirmation of fixed version. Note that blocking Microsoft Store entirely may impact other business applications and requires careful testing.

More from same product – last 7 days

CVE-2026-40412 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil

CVE-2026-41104 CRITICAL Monitor

10.0 May 22

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal

CVE-2026-23652 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-

CVE-2026-47280 CRITICAL Monitor

10.0 May 22

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti

CVE-2026-42901 CRITICAL Monitor

10.0 May 22

Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain

CVE-2025-58074 vulnerability details – vuln.today

Back

Norton Secure VPN CVE-2025-58074

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code