Notepad++ is vulnerable to a privilege escalation vulnerability that may allow unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. Tracked as CVE-2025-49144, the vulnerability exposes millions of users worldwide to complete system compromise. There is proof-of-concept now publicly available.
Notepad++ is a free, open-source text and source code editor for Microsoft Windows. It offers syntax highlighting, code folding, and a tabbed interface for managing multiple files simultaneously.
Notepad++ holds approximately 1.33% market share in the IDEs and text editors category, making hundreds of thousands of potentially vulnerable installations worldwide.
Vulnerability Details
Security researchers describe that the installer looks for executable dependencies in the current working directory without properly verifying them, which can lead to malicious code injection.
This security flaw poses a significant risk due to the minimal human interaction required for exploitation. The attack vector places malicious executables automatically loaded with elevated privileges during installation by exploiting the regular Windows DLL search order mechanism.
In a real-world attack scenario, an attacker could use social engineering to trick users into downloading the legitimate installer and a malicious executable to the same directory. Upon running the installer, the attack executes automatically with SYSTEM privileges.
Proof of Concept
An attacker can place a malicious executable, such as a compromised regsvr32.exe, in the same directory as the Notepad++ installer to exploit the vulnerability. When a user runs the installer, the system automatically loads the malicious file with SYSTEM privileges, granting an attacker complete control over the target machine.
This vulnerability is part of a growing pattern of installer vulnerabilities affecting popular software applications. Previously, Notepad++ versions faced similar vulnerabilities, including CVE-2023-6401 and CVE-2023-47452, which also involved DLL hijacking and privilege escalation vulnerabilities.
Affected Versions
The vulnerability affects Notepad++ versions 8.8.1 and earlier.
Mitigation
Users must upgrade to Notepad++ version 8.8.2 to patch the vulnerability.
Please refer to the GitHub Security Advisory for more information.
Qualys Detection
Qualys customers can scan their devices with QID 383400 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-9vx8-v79m-6m24
