CVE-2025-15556
7.7
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| notepad-plus-plus | notepad-plus-plus | 0 < 8.8.9 | affected |
Weaknesses
- CWE-494: CWE-494 Download of Code Without Integrity Check
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: no
- Technical Impact: total
Additional References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-15556
- https://notepad-plus-plus.org//news//clarification-security-incident/
References
- https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix
- https://notepad-plus-plus.org/news/hijacked-incident-info-update/
- https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab
- https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb
- https://www.vulncheck.com/advisories/notepad-plus-plus-wingup-updater-lacks-update-integrity-verification
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.