Notepad++ Vulnerability Allows Full System Takeover — PoC Released

A critical privilege escalation vulnerability (CVE-2025-49144) in Notepad++ v8.8.1 enables attackers to achieve full system control through a supply-chain attack.

The flaw exploits the installer’s insecure search path behavior, allowing unprivileged users to escalate privileges to NT AUTHORITY\SYSTEM with minimal user interaction.

This marks one of the most severe vulnerabilities discovered in the popular text editor, with proof-of-concept (PoC) exploitation materials now publicly available.

CVE-2025-49144: Technical Breakdown

The vulnerability stems from uncontrolled EXE/DLL search paths in the Notepad++ installer. During installation, the software insecurely searches for executable dependencies (like regsvr32.exe) in the current working directory without verification.

Attackers can place malicious executables in directories where users typically download files (e.g., Downloads), causing the installer to execute them with SYSTEM privileges. Key aspects include:

Aspect	Detail
Vulnerability Type	Binary Planting/Uncontrolled Search Path
Affected Versions	Notepad++ v8.8.1 (Released May 5, 2025)
Patched Version	v8.8.2
CVSS v3.1 Score	7.3 (High)

Exploitation and Impact

Successful exploitation follows a three-step process:

1. Preparation: An attacker places a malicious executable (e.g., disguised as regsvr32.exe) in a directory accessible to the victim.
2. Execution: The victim downloads and runs the Notepad++ v8.8.1 installer from the same directory.
3. Privilege Escalation: The installer automatically loads and executes the malicious file with SYSTEM privileges, granting attackers full control over the system.

Documented PoC materials, including video evidence and reverse-shell demonstrations, confirm attackers can:

• Steal sensitive data
• Install persistent malware
• Pivot to other network systems

Historical Context

This flaw echoes past Notepad++ vulnerabilities:

• CVE-2023-6401 (Uncontrolled search path in dbghelp.exe)
• CVE-2022-32168 (DLL hijacking via UxTheme.dll)
• CVE-2023-47452 (DLL hijacking in older versions).
  Unlike previous medium-severity issues, CVE-2025-49144’s SYSTEM-level access amplifies its threat potential.

Mitigation and Recommendations

Notepad++ released v8.8.2 to address the flaw by:

• Using absolute paths for dependencies (e.g., $SYSDIR\regsvr32.exe)
• Implementing secure temporary directories
• Adhering to Microsoft’s secure library-loading guidelines.
  Users must immediately update to v8.8.2 and avoid running installers from untrusted directories. Enterprises should:

# Verify installer integrity via SHA-256 checksum

certutil -hashfile npp.8.8.2.Installer.x64.exe SHA256

CVE-2025-49144 exemplifies how seemingly minor installer oversights can enable devastating privilege escalation.

With PoC exploits circulating, organizations and individual users must prioritize patching to prevent system-wide compromises.

Notepad++’s prompt patch underscores the importance of coordinated disclosure, though users should remain vigilant against similar supply-chain threats.