A privilege escalation vulnerability exists during the installation of Norton Secure VPN via the Microsoft…

CVE-2025-58074 is a Windows local privilege escalation in the Microsoft Store installation flow for Norton Secure VPN 6.5.0.59. Talos shows that during installation, WindowsPackageManagerServer.exe and an elevated NortonSecureVPN.exe interact with attacker-writable paths under C:\ProgramData\NortonInstaller\Settings\, letting a low-privilege user pre-stage a crafted .7z and a Windows junction so the elevated installer follows the reparse point during cleanup and performs an arbitrary delete.

The vendor/CNA HIGH 8.8 score is fair in a vacuum because arbitrary delete from a high-integrity installer can be converted into SYSTEM-level outcomes. In real enterprise fleets, though, this is not an initial-access bug: it needs a local foothold, a Store-based install event, and a fairly specific timing/setup chain. That combination drags it down from patch-now panic into medium-priority post-compromise hardening.

Why this verdict

• Downgraded from vendor 8.8 because it is post-compromise by design: AV:L/PR:L means the attacker is already on the box as a user, which is major downward pressure for enterprise prioritization.
• The exploit path is unusually narrow: it is tied to the Microsoft Store installation flow for Norton Secure VPN, not merely the presence of the product after any install method.
• Real-world exposure is limited in managed fleets: many enterprises disable or constrain Microsoft Store, and many do not deploy consumer Norton VPN to corporate endpoints at all.
• There is no strong threat signal: no KEV entry, no public exploitation evidence surfaced, and the supplied EPSS 0.00013 is extremely low.
• Blast radius is per-host, not internet-scale: even successful exploitation buys privilege on one endpoint at a time, not pre-auth takeover of a server class or edge appliance.

Why not higher?

This is not unauthenticated remote, not authenticated remote, and not broadly internet-reachable. It also needs a fairly specific installer moment and Windows filesystem abuse chain, which sharply limits both exposure population and automation potential.

Why not lower?

Once the preconditions are met, the primitive is dangerous: an elevated arbitrary delete on Windows is a serious LPE building block, and Talos rated the technical impact as high for good reason. If you actually have Store-delivered Norton Secure VPN on user workstations, this is still worth fixing and controlling rather than burying as trivia.

1. Block Store deployment of Norton Secure VPN — If you manage Windows endpoints with WDAC, AppLocker, Intune, or Store policy, stop new installations of the vulnerable Store package in the next normal endpoint policy window. This is a MEDIUM finding, so there is no mitigation SLA; the goal is to prevent fresh exposure while waiting for a vendor-fixed build.
2. Hunt for vulnerable package presence — Inventory Windows endpoints for Norton Secure VPN 6.5.0.59 and specifically the Microsoft Store package path. There is no mitigation SLA for MEDIUM, but do this in your next routine vuln-validation cycle so you know whether the issue is present in your fleet at all.
3. Alert on junction abuse in installer paths — Add or tune EDR detections for junction creation and suspicious writes under C:\ProgramData\NortonInstaller\Settings\ and for WindowsPackageManagerServer.exe spawning NortonSecureVPN.exe. Use your next standard detection-content release; this is compensating visibility, not emergency containment.
4. Restrict Microsoft Store on managed endpoints — If your enterprise does not need consumer Store installs, keep Store access limited to approved apps or approved users. For a MEDIUM verdict there is no mitigation SLA, but tightening Store governance removes this and similar installer-time attack paths with one control.

Run this on the target Windows endpoint from an elevated PowerShell session because querying WindowsApps and all-users AppX inventory is more reliable as admin. Example: powershell -ExecutionPolicy Bypass -File .\check-CVE-2025-58074.ps1. The script reports VULNERABLE if it finds a Norton Secure VPN Store package or executable at version 6.5.0.59, PATCHED if Norton Secure VPN is not present, and UNKNOWN for other versions because I could not verify an authoritative fixed build.

# check-CVE-2025-58074.ps1

# Purpose: Detect likely exposure to CVE-2025-58074 on Windows endpoints.

# Logic:

#   - Search AppX packages for Norton Secure VPN / Store product XP88VQCQK23NX6

#   - Search common executable locations for NortonSecureVPN.exe

#   - If version 6.5.0.59 is found => VULNERABLE (exit 1)

#   - If no Norton Secure VPN evidence is found => PATCHED (not present) (exit 0)

#   - If Norton is present but version cannot be tied to a known fixed build => UNKNOWN (exit 2)


$ErrorActionPreference = 'SilentlyContinue'
$targetVersion = [version]'6.5.0.59'
$found = @()

function Add-Finding {
    param(
        [string]$Source,
        [string]$Name,
        [string]$Version,
        [string]$Path
    )
    $script:found += [pscustomobject]@{
        Source  = $Source
        Name    = $Name
        Version = $Version
        Path    = $Path
    }
}

# 1) AppX / Microsoft Store packages

$pkgs = Get-AppxPackage -AllUsers | Where-Object {
    $_.Name -match 'Norton' -or
    $_.PackageFamilyName -match 'Norton' -or
    $_.InstallLocation -match 'Norton' -or
    $_.PackageFullName -match 'XP88VQCQK23NX6'
}

foreach ($pkg in $pkgs) {
    Add-Finding -Source 'AppX' -Name $pkg.Name -Version ($pkg.Version.ToString()) -Path $pkg.InstallLocation

    if ($pkg.InstallLocation -and (Test-Path $pkg.InstallLocation)) {
        $exe = Get-ChildItem -Path $pkg.InstallLocation -Recurse -Filter 'NortonSecureVPN.exe' -ErrorAction SilentlyContinue | Select-Object -First 1
        if ($exe) {
            $fv = $exe.VersionInfo.FileVersion
            Add-Finding -Source 'AppX-Exe' -Name $exe.Name -Version $fv -Path $exe.FullName
        }
    }
}

# 2) Common filesystem locations

$paths = @(
    "$env:ProgramFiles\Norton*",
    "$env:ProgramFiles(x86)\Norton*",
    "$env:LocalAppData\Programs\Norton*",
    "$env:LocalAppData\Packages\*Norton*",
    "C:\Program Files\WindowsApps\*Norton*",
    "C:\Program Files\WindowsApps\*XP88VQCQK23NX6*"
)

foreach ($p in $paths) {
    $exe = Get-ChildItem -Path $p -Recurse -Filter 'NortonSecureVPN.exe' -ErrorAction SilentlyContinue | Select-Object -First 5
    foreach ($e in $exe) {
        Add-Finding -Source 'Filesystem' -Name $e.Name -Version $e.VersionInfo.FileVersion -Path $e.FullName
    }
}

# Deduplicate

$found = $found | Sort-Object Source,Name,Version,Path -Unique

if (-not $found -or $found.Count -eq 0) {
    Write-Output 'PATCHED'
    exit 0
}

# Parse versions safely

$versions = @()
foreach ($f in $found) {
    try {
        if ($f.Version) { $versions += [version]$f.Version }
    } catch {
        # ignore unparsable versions

    }
}

# If any exact vulnerable version is present, call it vulnerable

if ($versions | Where-Object { $_ -eq $targetVersion }) {
    Write-Output 'VULNERABLE'
    $found | ForEach-Object { Write-Output ("FOUND {0} | {1} | {2} | {3}" -f $_.Source,$_.Name,$_.Version,$_.Path) }
    exit 1
}

# No exact vuln version, but Norton Secure VPN evidence exists and no authoritative fixed version is known

Write-Output 'UNKNOWN'
$found | ForEach-Object { Write-Output ("FOUND {0} | {1} | {2} | {3}" -f $_.Source,$_.Name,$_.Version,$_.Path) }
exit 2

Sources

1. NVD CVE-2025-58074
2. Cisco Talos vulnerability report TALOS-2025-2276
3. Cisco Talos blog roundup covering Norton VPN disclosure
4. CISA Known Exploited Vulnerabilities Catalog
5. FIRST EPSS project
6. Microsoft Store listing for Norton Secure VPN
7. Norton Secure VPN product page
8. OpenCVE mirror of CVE record with CISA ADP SSVC metadata