← back
CVE-2025-15556

Notepad++ < 8.8.9 WinGUp Updater Lacks Update Integrity Verification

CVSS 7.7 HIGHEPSS 1.3%● KEVCWE-494
In short

Notepad++ versions before 8.8.9 don't verify that updates are legitimate before installing them. An attacker on the same network could intercept the update and replace it with malicious software that runs with your permissions.

Technical detail

The WinGUp updater in Notepad++ < 8.8.9 fails to cryptographically verify update metadata and installer packages, allowing a man-in-the-middle attacker to intercept update traffic and redirect it to a malicious binary. Exploitation requires network-level access to intercept the update connection, resulting in arbitrary code execution with user privileges.

Summary generated and translated by AI from the official description.
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
notepad-plus-plus · notepad-plus-plus
public PoCs found2
githubgithub.com/renat0z3r0/notepadpp-supply-chain-iocs1githubgithub.com/George0Papasotiriou/CVE-2025-15556-Notepad-WinGUp-Updater-RCE1
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fixhttps://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5abhttps://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdbhttps://notepad-plus-plus.org//news//clarification-security-incident/https://notepad-plus-plus.org/news/hijacked-incident-info-update/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-15556https://www.vulncheck.com/advisories/notepad-plus-plus-wingup-updater-lacks-update-integrity-verification