Notepad++ Vulnerability Allows Full System Takeover — PoC Released
A critical privilege escalation vulnerability (CVE-2025-49144) in Notepad++ v8.8.1 enables attackers to achieve full system control through a supply-chain attack.
The flaw exploits the installer’s insecure search path behavior, allowing unprivileged users to escalate privileges to NT AUTHORITYSYSTEM with minimal user interaction.
This marks one of the most severe vulnerabilities discovered in the popular text editor, with proof-of-concept (PoC) exploitation materials now publicly available.
CVE-2025-49144: Technical Breakdown
The vulnerability stems from uncontrolled EXE/DLL search paths in the Notepad++ installer. During installation, the software insecurely searches for executable dependencies (like regsvr32.exe) in the current working directory without verification.
Attackers can place malicious executables in directories where users typically download files (e.g., Downloads), causing the installer to execute them with SYSTEM privileges. Key aspects include:
| Aspect | Detail |
| Vulnerability Type | Binary Planting/Uncontrolled Search Path |
| Affected Versions | Notepad++ v8.8.1 (Released May 5, 2025) |
| Patched Version | v8.8.2 |
| CVSS v3.1 Score | 7.3 (High) |
Exploitation and Impact
Successful exploitation follows a three-step process:
- Preparation: An attacker places a malicious executable (e.g., disguised as regsvr32.exe) in a directory accessible to the victim.
- Execution: The victim downloads and runs the Notepad++ v8.8.1 installer from the same directory.
- Privilege Escalation: The installer automatically loads and executes the malicious file with SYSTEM privileges, granting attackers full control over the system.
Documented PoC materials, including video evidence and reverse-shell demonstrations, confirm attackers can:
- Steal sensitive data
- Install persistent malware
- Pivot to other network systems
Historical Context
This flaw echoes past Notepad++ vulnerabilities:
- CVE-2023-6401 (Uncontrolled search path in dbghelp.exe)
- CVE-2022-32168 (DLL hijacking via UxTheme.dll)
- CVE-2023-47452 (DLL hijacking in older versions).
Unlike previous medium-severity issues, CVE-2025-49144’s SYSTEM-level access amplifies its threat potential.
Mitigation and Recommendations
Notepad++ released v8.8.2 to address the flaw by:
- Using absolute paths for dependencies (e.g., $SYSDIRregsvr32.exe)
- Implementing secure temporary directories
- Adhering to Microsoft’s secure library-loading guidelines.
Users must immediately update to v8.8.2 and avoid running installers from untrusted directories. Enterprises should:
# Verify installer integrity via SHA-256 checksumcertutil -hashfile npp.8.8.2.Installer.x64.exe SHA256CVE-2025-49144 exemplifies how seemingly minor installer oversights can enable devastating privilege escalation.
With PoC exploits circulating, organizations and individual users must prioritize patching to prevent system-wide compromises.
Notepad++’s prompt patch underscores the importance of coordinated disclosure, though users should remain vigilant against similar supply-chain threats.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
