Norton Secure VPN Installation Privilege Escalation via File Replacement

CVE-2025-58074 represents a privilege escalation vulnerability in Norton Secure VPN installations distributed through the Microsoft Store. During the installation process, a low-privilege user can intercept and replace files before they are finalized, enabling arbitrary file deletion that bypasses security restrictions. This vulnerability affects any user installing Norton Secure VPN from the Microsoft Store on Windows systems, potentially compromising system integrity and allowing attackers to escalate from limited user accounts to higher privilege levels. The attack exploits a race condition or improper file permission handling during installation—a critical window where system files are accessible to unprivileged processes.

While CVE-2025-58074 does not currently map to specific MITRE ATT&CK techniques in public disclosures, Casky practitioners should monitor for attack patterns consistent with Privilege Escalation (TA0004) and Defense Evasion (TA0005) tactics. Extended reasoning analysis would flag suspicious installation processes where low-privilege accounts gain write access to system directories, detect unexpected file deletions during software setup, or identify permission changes that shouldn't occur during normal installation workflows. Practitioners using Casky's 754 mapped security skills would track installation anomalies, monitor file system access patterns during third-party software deployments, and correlate privilege escalation indicators with installation activity—enabling early detection of exploitation attempts before arbitrary files are deleted or system compromise occurs.