CVE-2025-15556
published 2026-02-03CVE-2025-15556: Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and…
PriorityP182high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-03-05
Exploited in the wild
EPSS
1.27%
66.1th percentile
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| notepad-plus-plus | notepad | < 8.8.9 | 8.8.9 |
| notepad-plus-plus | notepad-plus-plus | < 8.8.9 | 8.8.9 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect vulnerable Notepad++ versions (prior to 8.8.9) using the WinGUp updater component, which performs update downloads without cryptographic integrity verification ↗
- →Monitor for Notepad++ update traffic being redirected away from notepad-plus-plus.org to attacker-controlled infrastructure; anomalous DNS or HTTP destinations for WinGUp update requests are a key indicator ↗
- →Verify that Notepad++ installations are running version 8.9.1 or later, which includes XML signature validation (XMLDSig) for security updates; absence of this version indicates exposure ↗
- ·The vulnerability is classified as a download of code without integrity check (CWE-type); exploitation requires the attacker to be in a position to intercept or redirect update traffic (e.g., MitM, DNS hijacking, or infrastructure compromise) ↗
- ·The attack was targeted espionage rather than broad financially-motivated cybercrime; defenders should not assume all Notepad++ users were impacted equally ↗
- ·The attackers used valid credentials for the infrastructure provider's internal services, meaning traditional perimeter-based detections may not have flagged the redirected traffic as anomalous during the compromise window ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck7.7HIGH
cisa7.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cqx4-h5ph-3xj9: Notepad++ versions prior to 8
ghsa_unreviewed·2026-02-03
CVE-2025-15556 [HIGH] CWE-494 GHSA-cqx4-h5ph-3xj9: Notepad++ versions prior to 8
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
VulnCheck
Notepad++ Download of Code Without Integrity Check Vulnerability
vulncheck·2025·CVSS 7.7
CVE-2025-15556 [HIGH] CWE-494 Notepad++ Download of Code Without Integrity Check Vulnerability
Notepad++ Download of Code Without Integrity Check Vulnerability
Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user.
Affected: Notepad++ Notepad++
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://notepad-plus-plus.org/news/hijacked-incident-info-update/; https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/; https://securelist.com/no
CISA
Notepad++ Download of Code Without Integrity Check Vulnerability
cisa·2026-02-12·CVSS 7.7
CVE-2025-15556 [HIGH] CWE-494 Notepad++ Download of Code Without Integrity Check Vulnerability
Vulnerability: Notepad++ Download of Code Without Integrity Check Vulnerability
Affected: Notepad++ Notepad++
Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://notepad-plus-plus.org/news/clarification-security-incident/ ; https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix ; https://nvd.nist.gov/vuln/det
No detection rules found.
No public exploits indexed.
Recorded Future
February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
blogs_recorded_future·2026-03-12·CVSS 7.7
[HIGH] February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
## February 2026 CVE Landscape:13 Critical Vulnerabilities Mark 43% Drop from January
February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026 . All 13 carried a ‘Very Critical’ Recorded Future Risk Score.
What security teams need to know:
Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day
Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor
APT28 exploits MSHTML fl
Tenable
Notepad++ Supply Chain Compromise
blogs_tenable·2026-02-03
Notepad++ Supply Chain Compromise
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Wiz
CVE-2025-15556 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2025-15556 [HIGH] CVE-2025-15556 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15556 :
Notepad++ vulnerability analysis and mitigation
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
Source : NVD
## 7.7
Score
Published February 3, 2026
Severity HIGH
CNA Score 7.7
High-profile Vulnerability Yes
Affected Technologies
Notepad++
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 90
Exploitation P
Wiz
CVE-2026-25926 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-25926 [HIGH] CVE-2026-25926 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25926 :
Notepad++ vulnerability analysis and mitigation
Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable path. This may allow execution of a malicious explorer.exe if an attacker can control the process working directory. Under certain conditions, this could lead to arbitrary code execution in the context of the running application. Version 8.9.2 patches the issue.
Source : NVD
## 7.3
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
Notepad++
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Recorded Future
February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
blogs_recorded_future·CVSS 7.7
[HIGH] February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
# February 2026 CVE Landscape:13 Critical Vulnerabilities Mark 43% Drop from January
February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026. All 13 carried a ‘Very Critical’ Recorded Future Risk Score.
What security teams need to know:
- Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day
- Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor
- APT28 exploits MSHTML
https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fixhttps://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5abhttps://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdbhttps://notepad-plus-plus.org/news/hijacked-incident-info-update/https://www.vulncheck.com/advisories/notepad-plus-plus-wingup-updater-lacks-update-integrity-verificationhttps://notepad-plus-plus.org//news//clarification-security-incident/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-15556
2026-02-03
Published
2026-02-12
Added to CISA KEV
Exploited in the wild