CVE-2025-3599 is a Time-of-check Time-of-use (TOCTOU) race condition vulnerability identified in the Symantec Endpoint Protection Windows Agent, specifically affecting versions running an ERASER Engine prior to 119.1.7.8. This vulnerability arises due to a race condition where the system checks a resource's state (time-of-check) and then uses that resource (time-of-use) without proper synchronization, allowing an attacker to exploit the timing gap. The flaw can be leveraged to perform an elevation of privilege attack, enabling an attacker to delete resources that are normally protected by the application or operating system. The vulnerability has a CVSS 3.1 base score of 6.5, indicating medium severity. The vector string (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) reveals that the attack can be executed remotely over the network without privileges but requires user interaction. The impact is primarily on availability, as the attacker can delete critical resources, potentially disrupting endpoint protection services. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is categorized under CWE-367, which relates to TOCTOU race conditions, a common class of concurrency issues that can lead to security bypasses or resource manipulation. Given the nature of Symantec Endpoint Protection as a widely deployed enterprise security solution, this vulnerability could be significant if exploited, especially in environments relying heavily on this product for endpoint defense.

For European organizations, the exploitation of CVE-2025-3599 could lead to significant disruption of endpoint security infrastructure. Since Symantec Endpoint Protection is used to safeguard endpoints against malware, unauthorized access, and other threats, an attacker deleting protected resources could disable or degrade these defenses, increasing the risk of further compromise. This could result in downtime, data loss, or lateral movement within corporate networks. Critical sectors such as finance, healthcare, and government agencies, which rely on robust endpoint protection, may face increased exposure to cyberattacks. Additionally, the requirement for user interaction (UI:R) means phishing or social engineering could be vectors for exploitation, which are common attack methods in Europe. The medium severity rating suggests that while the vulnerability is not the most critical, it still poses a meaningful risk, especially in large-scale deployments. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks. Organizations with automated incident response and endpoint monitoring may detect exploitation attempts, but those without such capabilities could be more vulnerable.

Immediately monitor for updates from Symantec and apply patches or engine updates once available, specifically targeting versions prior to 119.1.7.8. Implement strict endpoint application whitelisting and restrict user permissions to minimize the impact of potential privilege escalation. Enhance user awareness training focused on recognizing and avoiding phishing or social engineering attempts that could trigger the required user interaction for exploitation. Deploy endpoint detection and response (EDR) tools capable of identifying anomalous deletion or modification of protected resources. Use network segmentation to limit the spread of potential attacks originating from compromised endpoints running vulnerable Symantec agents. Regularly audit and verify the integrity of endpoint protection components to detect unauthorized changes or deletions early. Consider temporary compensating controls such as disabling non-essential features of the Symantec Endpoint Protection agent that interact with the ERASER Engine until patches are applied.