A critical security vulnerability, identified as CVE-2025-49144, has emerged in the Notepad++ installer, affecting version 8.8.1 and earlier. This vulnerability is characterized as a privilege escalation flaw, classified particularly as binary planting or uncontrolled search path exploitation.
During the installation process, the Notepad++ installer inadequately searches for crucial executable dependencies, such as regsvr32.exe, within the current working directory without a verification of their legitimacy—providing an opportunity for malicious actors. High-severity privilege escalation vulnerability allows local attackers to gain SYSTEM-level privileges via uncontrolled executable search paths.
The Notepad++ installer fails to validate executable dependencies, creating a security loophole for potential exploitation by malicious actors.
Cybercriminals can exploit this flaw by planting harmful executables in publicly accessible directories, especially the Downloads folder, a location that users frequently utilize to store downloaded files. When a user runs the installer from an infected directory, the vulnerable program may load and execute these attacker-controlled executables, thereby granting them NT AUTHORITY\SYSTEM privileges. This vulnerability primarily affects Notepad++ v8.8.1 and allows attackers to achieve unauthorized control over the system.
The exploit’s severity has been classified as “High,” with a CVSS score of 7.3, highlighting the potential for full system control at the expense of millions of users globally.
Proof-of-concept materials belonging to the exploit have been released into the public domain, raising concerns regarding the likelihood of real-world attacks. Attackers can use social engineering or clickjacking techniques to entice users into downloading both the legitimate installer and the compromised executable, thereby facilitating exploitation with minimal user interaction.
Especially, the flaw is present in all versions up to and including 8.8.1, which was released on May 5, 2025.
In response to this significant vulnerability, the developers of Notepad++ quickly released version 8.8.2, designed to rectify the insecure path search behavior of the installer.
They encourage all users to swiftly update to the patched version. Therefore, heightened awareness and quick action are vital for users to mitigate risks associated with this serious security breach, as well as underscoring the importance of secure software development practices.
