Talos Vulnerability Report

TALOS-2025-2276

Norton Secure VPN Installation Insecure Operation On Junction Privilege Escalation Vulnerability

May 4, 2026

CVE Number

CVE-2025-58074

SUMMARY

A privilege escalation vulnerability exists during the installation of Norton Secure VPN via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in deletion of arbitrary files that can lead to elevation of privileges.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Gen Digital Norton Secure VPN 6.5.0.59

PRODUCT URLS

Norton Secure VPN - https://us.norton.com/products/norton-vpn

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-1386 - Insecure Operation on Windows Junction / Mount Point

DETAILS

Norton Secure VPN is a virtual private network (VPN) service. It is easy to use and helps the user browse the internet anonymously by preventing online activities from being tracked.

Norton Secure VPN is vulnerable to a privilege escalation issue when installed via the Microsoft Store application. When a user attempts to install Norton Secure VPN, the following events occur in the background:

WindowsPackageManagerServer.exe downloads and runs NortonSecureVPN.exe to install Norton Secure VPN.

  9:13:44.8387621 AM	WindowsPackageManagerServer.exe	8196	CreateFile	C:\Users\dev\AppData\Local\Temp\WinGet\XP88VQCQK23NX6.6.5.0.59\NortonSecureVPN.exe	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a	Medium


  9:13:58.5494705 AM	WindowsPackageManagerServer.exe	8196	SetRenameInformationFile	C:\Users\dev\AppData\Local\Temp\WinGet\XP88VQCQK23NX6.6.5.0.59\5187e987d9086a48453103a9ab3c8b29d8949e52ca24735e457fe0e356c40acd	SUCCESS	ReplaceIfExists: True, FileName: C:\Users\dev\AppData\Local\Temp\WinGet\XP88VQCQK23NX6.6.5.0.59\NortonSecureVPN.exe	Medium

NortonSecureVPN.exelaunches another instance of NortonSecureVPN.exe with elevated privileges.

  9:14:11.2138188 AM	NortonSecureVPN.exe	11220	Process Create	C:\Users\dev\AppData\Local\Temp\WinGet\XP88VQCQK23NX6.6.5.0.59\NortonSecureVPN.exe	SUCCESS	PID: 7532, Command line: "C:\Users\dev\AppData\Local\Temp\WinGet\XP88VQCQK23NX6.6.5.0.59\NortonSecureVPN.exe" "C:\Users\dev\AppData\Local\Temp\WinGet\XP88VQCQK23NX6.6.5.0.59\NortonSecureVPN.exe" /qn /uac /ADMIN	Medium

Once permission is granted, the new NortonSecureVPN.exe process runs with High Integrity privileges and performs the installation.

  9:14:11.3429369 AM	NortonSecureVPN.exe	7532	Load Image	C:\Users\dev\AppData\Local\Temp\WinGet\XP88VQCQK23NX6.6.5.0.59\NortonSecureVPN.exe	SUCCESS	Image Base: 0x7c0000, Image Size: 0x18b000	High

During installation, the NortonSecureVPN.exe process checks a 7z compressed file in the C:\ProgramData\NortonInstaller\Settings\ folder.

9:14:11.7088266 AM	NortonSecureVPN.exe	3524	CreateFile	C:\ProgramData\NortonInstaller\Settings\{057cd4cd-d429-413f-8b0f-204aac43f268}.7z	PATH NOT FOUND	Desired Access: Read Attributes, Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a	High

The folder C:\ProgramData is writable even by unprivileged users. Therefore, a normal user can create the C:\ProgramData\NortonInstaller\Settings\ folder and write the zip file {057cd4cd-d429-413f-8b0f-204aac43f268}.7z to this folder before starting the installation.

Note that the name of the 7z file is a random GUID, but the GUID value is fixed for each specific installation.

When such a 7z file is present during installation, the installer decompresses the file and verifies its hash.

11:04:22.5933148 AM	NortonSecureVPN.exe	3028	CreateFile	C:\ProgramData\NortonInstaller\Settings\{057cd4cd-d429-413f-8b0f-204aac43f268}.7z	SUCCESS	Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a, OpenResult: Opened	High

[..]
11:04:22.5965017 AM	NortonSecureVPN.exe	3028	CreateFile	C:\ProgramData\NortonInstaller\Settings\{057cd4cd-d429-413f-8b0f-204aac43f268}	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a	High
11:04:22.5966496 AM	NortonSecureVPN.exe	3028	CreateFile	C:\ProgramData\NortonInstaller\Settings\{057cd4cd-d429-413f-8b0f-204aac43f268}	SUCCESS	Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Created	High
11:04:22.5978466 AM	NortonSecureVPN.exe	3028	CloseFile	C:\ProgramData\NortonInstaller\Settings\{057cd4cd-d429-413f-8b0f-204aac43f268}	SUCCESS		High
11:04:22.5986335 AM	NortonSecureVPN.exe	3028	CreateFile	C:\ProgramData\NortonInstaller\Settings\{057cd4cd-d429-413f-8b0f-204aac43f268}\DemoFile	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a	High
11:04:22.5988384 AM	NortonSecureVPN.exe	3028	CreateFile	C:\ProgramData\NortonInstaller\Settings\{057cd4cd-d429-413f-8b0f-204aac43f268}\DemoFile	SUCCESS	Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Created	High
11:04:22.5990404 AM	NortonSecureVPN.exe	3028	CloseFile	C:\ProgramData\NortonInstaller\Settings\{057cd4cd-d429-413f-8b0f-204aac43f268}\DemoFile	SUCCESS		High

To verify the hash, it calculates the hash of the 7z file and checks whether it matches the value of the registry entry at HKU\.DEFAULT\Software\Norton\NortonInstaller\LegacySettings{057cd4cd-d429-413f-8b0f-204aac43f268}.7z. If the registry entry is missing or hash does not match, the recently decompressed file will be deleted.

11:04:11.0136872 AM	NortonSecureVPN.exe	3028	RegQueryValue	HKU\.DEFAULT\Software\Norton\NortonInstaller\LegacySettings\{057cd4cd-d429-413f-8b0f-204aac43f268}.7z	NAME NOT FOUND	Length: 12	High

In our, case this registry entry doesn’t exist, and it is not possible for a normal user to create it. As a result, the installer application will delete the uncompressed files.

11:04:28.2126942 AM	NortonSecureVPN.exe	3028	SetDispositionInformationEx	C:\ProgramData\NortonInstaller\Settings\{057cd4cd-d429-413f-8b0f-204aac43f268}\DemoFile	SUCCESS	Flags: FILE_DISPOSITION_DELETE, FILE_DISPOSITION_POSIX_SEMANTICS, FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK	High
[...]
11:04:28.2147779 AM	NortonSecureVPN.exe	3028	SetDispositionInformationEx	C:\ProgramData\NortonInstaller\Settings\{057cd4cd-d429-413f-8b0f-204aac43f268}	SUCCESS	Flags: FILE_DISPOSITION_DELETE, FILE_DISPOSITION_POSIX_SEMANTICS, FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK	High
[...]
11:04:28.2158499 AM	NortonSecureVPN.exe	3028	SetDispositionInformationEx	C:\ProgramData\NortonInstaller\Settings\{057cd4cd-d429-413f-8b0f-204aac43f268}.7z	SUCCESS	Flags: FILE_DISPOSITION_DELETE, FILE_DISPOSITION_POSIX_SEMANTICS, FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK	High

In this case, the deletion operation can be exploited to delete arbitrary folders on the system by creating a junction in the folder C:\ProgramData\NortonInstaller\Settings{057cd4cd-d429-413f-8b0f-204aac43f268}\ before starting the installation. When the installer attempts to clean the folder after hash verification fails, it follows the junction and deletes all files or folders present within the target directory.

The following Process Monitor log shows the deletion of content from the folder C:\Program Files (x86)\Microsoft\EdgeUpdate:

12:30:41.2012770 PM	NortonSecureVPN.exe	2476	SetDispositionInformationEx	C:\Program Files (x86)\Microsoft\EdgeUpdate\Download	SUCCESS	Flags: FILE_DISPOSITION_DELETE, FILE_DISPOSITION_POSIX_SEMANTICS, FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK	High
12:30:41.2054336 PM	NortonSecureVPN.exe	2476	SetDispositionInformationEx	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4672404D-C216-4B19-9181-9CF5D93AE358}\MicrosoftEdgeUpdateSetup_X86_1.3.199.11.exe	SUCCESS	Flags: FILE_DISPOSITION_DELETE, FILE_DISPOSITION_POSIX_SEMANTICS, FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK	High
12:30:41.2179541 PM	NortonSecureVPN.exe	2476	SetDispositionInformationEx	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4672404D-C216-4B19-9181-9CF5D93AE358}	SUCCESS	Flags: FILE_DISPOSITION_DELETE, FILE_DISPOSITION_POSIX_SEMANTICS, FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK	High
12:30:41.2239141 PM	NortonSecureVPN.exe	2476	SetDispositionInformationEx	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install	SUCCESS	Flags: FILE_DISPOSITION_DELETE, FILE_DISPOSITION_POSIX_SEMANTICS, FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK	High
12:30:41.2271738 PM	NortonSecureVPN.exe	2476	SetDispositionInformationEx	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	SUCCESS	Flags: FILE_DISPOSITION_DELETE, FILE_DISPOSITION_POSIX_SEMANTICS, FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK	High

This arbitrary deletion of files can be leveraged to escalate privileges.

TIMELINE

2025-09-30 - Initial Vendor Contact via Security Team Webform
2025-10-07 - Second Attempt at Contact via Webform
2025-01-15 - Final Contact Attempt, Upcoming Publication Announced
2026-05-04 - Public Release

Credit

Discovered by KPC of Cisco Talos.

TALOS-2025-2274

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company