A high-severity vulnerability (CVE-2025-49144) in the Notepad++ installer could be exploited by unprivileged users to gain SYSTEM-level privileges through insecure executable search paths.
There is currently no indication that the vulnerability is being leveraged by attackers, though technical details and a proof-of-concept (PoC) have been published – and redacted shortly after for security reasons.
About CVE-2025-49144
Notepad++ is a popular free and open-source text and source code editor for Windows.
CVE-2025-49144 is a local privilege escalation flaw that affects Notepad++ versions up until and including v8.8.1, and may allow attackers to surreptitiously run malicious executables on target systems.
“An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder – which is known as Vulnerable directory),” the CVE entry for the flaw explains.
If the (vulnerable) installer is run, it will also load the executable, with SYSTEM privileges.
The vulnerability was unearthed by security researchers Shashi Raj, Yatharth Tyagi and Kunal Choudhary, and privately disclosed to Notepad++ developer / maintainer Don Ho.
“We discovered this vulnerability while messing around with DLL hijacking for privilege escalation in Windows. Notepad++ wasn’t specifically targeted – we happened to identify this issue while analyzing common application installation patterns,” Raj told Help Net Security.
A commit addressing the vulnerability has already been made, but a stable Notepad++ release with the fix is still incoming.
What to do?
“We requested the advisory details be temporarily redacted to prevent weaponization before patches are widely deployed,” Raj said. “We believe in coordinated disclosure that balances public awareness with security. The vulnerability details will be restored once the patched version achieves sufficient distribution.”
Notepad++ developer Don Ho explained that the delay in releasing Notepad++ v8.8.2 was due to a hiccup with the code signing certificate and confirmed that it will be released within a week.
Due to the inability to renew the certificate at this time, that release will not be signed, he added. “However, since v7.6.6, GPG signatures have always been included with Notepad++ released binaries, you can use Gpg4win or Kleopatra to verify the authenticity of the downloaded files.”
(A release candidate has been made available for download in the meantime.)
But given the software’s popularity with user and malware peddlers, this vulnerability may be yet another welcome addition to the latter’s toolkit.
Users are advised to upgrade to the fixed Notepad++ version when it’s released. Prospective users are advised to download the software only from the official Notepad++ site, and to always verify open source downloads before running them.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
