Notepad++ Installer Flaw Exposes Systems to Attack (CVE-2025-49144)
▼ Summary
– A high-severity vulnerability (CVE-2025-49144) in Notepad++ versions up to v8.8.1 allows unprivileged users to gain SYSTEM-level privileges via insecure executable search paths.
– Attackers could exploit this flaw by tricking users into downloading both the legitimate installer and a malicious executable to the same directory, enabling privilege escalation when the installer runs.
– Security researchers discovered the vulnerability during DLL hijacking analysis and privately disclosed it to Notepad++ developer Don Ho, with a fix already committed but not yet released.
– The vulnerability details were temporarily redacted to prevent weaponization before patches are widely deployed, with plans to restore them post-patch distribution.
– Users are advised to upgrade to the fixed version once released and download Notepad++ only from the official site, verifying files via GPG signatures.
A critical security flaw in Notepad++ could allow attackers to hijack systems by exploiting the installer’s vulnerable search paths. Tracked as CVE-2025-49144, this privilege escalation vulnerability affects versions up to and including 8.8.1 of the widely used Windows text editor. While no active exploitation has been reported, researchers warn that malicious actors could leverage this weakness to execute code with SYSTEM-level permissions.
The issue stems from how the installer searches for executables during installation. Attackers could place a malicious file in the same directory as the legitimate installer, often the Downloads folder, and trick users into running both. When launched, the installer would inadvertently execute the rogue file with elevated privileges. Security experts Shashi Raj, Yatharth Tyagi, and Kunal Choudhary discovered the flaw while investigating common Windows application installation behaviors.
Notepad++ developer Don Ho has already committed a fix, but users must wait for the official release of version 8.8.2, delayed due to a code-signing certificate issue. In the meantime, a release candidate is available for testing. Ho emphasized that while the upcoming version won’t be digitally signed, users can verify its authenticity using GPG signatures, a feature included since version 7.6.6.
Researchers temporarily redacted technical details to prevent weaponization before widespread patching. “Coordinated disclosure ensures public awareness without compromising security,” Raj noted. Once the patched version gains sufficient adoption, full vulnerability details will be restored.
Given Notepad++’s popularity, both among legitimate users and cybercriminals, this flaw could become a prime target for exploitation. To mitigate risks, users should:
- Upgrade immediately once the fixed version is released.
- Download exclusively from the official Notepad++ website.
- Verify file integrity using GPG tools like Gpg4win or Kleopatra before installation.
Staying informed about emerging threats is crucial. Subscribing to trusted cybersecurity alerts ensures timely updates on vulnerabilities like this one.
(Source: HELPNETSECURITY)
