A critical local privilege escalation vulnerability in the Notepad++ v8.8.1 installer allows attackers to escalate to NT AUTHORITY\SYSTEM using binary planting techniques. Tracked as CVE-2025-49144, the flaw abuses an insecure executable search path during installation, requiring minimal user interaction.
This vulnerability affects Windows environments and has become an attractive target due to Notepad++’s popularity among developers, IT professionals, and enterprise users.
- Published: June 24, 2025
- Severity: High (CVSS 3.1: 7.3)
- Affected Product: Notepad++ v8.8.1 and earlier
- Patched In: Notepad++ v8.8.2
- Exploit Availability: Public Proof of Concept released
Attack Vector and Impact
The vulnerability stems from the installer’s failure to securely load system executables (e.g., regsvr32.exe). Instead, it searches for dependencies in the current directory—typically the Downloads folder—allowing an attacker to plant a malicious executable with the same name.
Exploitation Steps:
- The attacker convinces a user to place a malicious file alongside the legitimate Notepad++ installer.
- When the installer is executed, it loads the attacker’s executable instead of the system one.
- The malicious code runs with SYSTEM privileges, giving the attacker full control of the device.
With this access, attackers can:
- Extract sensitive data
- Persist on the system via malware
- Move laterally across the network
- Disable security tools
Real-World Risk
Notepad++ has over 1.6 million monthly website visits and a ~1.3% market share in text editors globally. This widespread adoption dramatically increases the potential attack surface.
Because the vulnerability is exploited locally, traditional firewalls and network-based detections may not identify or stop such attacks. Its abuse of a trusted software installer also mimics supply-chain threat behaviors.
Previous Related CVEs in Notepad++
- CVE-2023-6401: Uncontrolled search path in dbghelp.exe
- CVE-2023-47452: DLL hijacking
- CVE-2022-32168: DLL hijack via UxTheme.dll
CVE-2025-49144 is more severe due to the level of access granted.
Mitigation Recommendations
Update immediately to v8.8.2, which:
- Enforces secure path loading (e.g., %SystemRoot%\System32)
- Applies Microsoft’s secure DLL loading guidelines
- Verifies paths explicitly before execution
OP Innovate Recommendations
Organizations using Notepad++ in development or production environments should scan endpoints for v.8.8.1 installer artifacts and check for suspicious executables in user download folders.
Centralized logging (e.g., Process Monitor) can be used for retrospective analysis.
Need help triaging affected systems or performing forensic review?
Our Incident Response team is available 24/7.
