cbcvebase.
CVE-2025-15556
published 2026-02-03

CVE-2025-15556: Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and…

PriorityP182high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-03-05
Exploited in the wild
EPSS
1.27%
66.1th percentile
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.

Affected

2 ranges
VendorProductVersion rangeFixed in
notepad-plus-plusnotepad< 8.8.98.8.9
notepad-plus-plusnotepad-plus-plus< 8.8.98.8.9

Detection & IOCsextracted from sources · hover to see the quote

  • Detect vulnerable Notepad++ versions (prior to 8.8.9) using the WinGUp updater component, which performs update downloads without cryptographic integrity verification
  • Monitor for Notepad++ update traffic being redirected away from notepad-plus-plus.org to attacker-controlled infrastructure; anomalous DNS or HTTP destinations for WinGUp update requests are a key indicator
  • Verify that Notepad++ installations are running version 8.9.1 or later, which includes XML signature validation (XMLDSig) for security updates; absence of this version indicates exposure
  • ·The vulnerability is classified as a download of code without integrity check (CWE-type); exploitation requires the attacker to be in a position to intercept or redirect update traffic (e.g., MitM, DNS hijacking, or infrastructure compromise)
  • ·The attack was targeted espionage rather than broad financially-motivated cybercrime; defenders should not assume all Notepad++ users were impacted equally
  • ·The attackers used valid credentials for the infrastructure provider's internal services, meaning traditional perimeter-based detections may not have flagged the redirected traffic as anomalous during the compromise window

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck7.7HIGH
cisa7.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.