CVE-2025-49144 – A privilege escalation vulnerability in Notepad... (How to Fix)

Q: What is the severity of CVE-2025-49144?

CVE-2025-49144 has a CVSS score of 7.3 (HIGH). A privilege escalation vulnerability in Notepad++ installer versions 8.8.1 and earlier allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. Attackers can use social engineering to trick users into downloading both the legitimate installer and a malicious executable to the same directory, causing automatic execution with SYSTEM privileges when the installer runs. This affects all users running vulnerable Notepad++ installer versions.

📋 TL;DR

A privilege escalation vulnerability in Notepad++ installer versions 8.8.1 and earlier allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. Attackers can use social engineering to trick users into downloading both the legitimate installer and a malicious executable to the same directory, causing automatic execution with SYSTEM privileges when the installer runs. This affects all users running vulnerable Notepad++ installer versions.

💻 Affected Systems

Products:

Notepad++

Versions: 8.8.1 and prior

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the installer, not the application itself. Exploitation requires user to run installer from a directory containing malicious executables (typically Downloads folder).

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SYSTEM-level compromise of the affected system, allowing complete control, data theft, persistence establishment, and lateral movement.

🟠

Likely Case

Local privilege escalation to SYSTEM on individual workstations where users download and run the installer from vulnerable directories.

🟢

If Mitigated

No impact if users run installers from secure directories or have updated to patched versions.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation requiring user interaction with downloaded files.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or social engineering to download malicious files alongside the installer.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (running installer) and placing malicious executable in same directory. Social engineering or clickjacking can facilitate this.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.8.2

Vendor Advisory: https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-9vx8-v79m-6m24

Restart Required: No

Instructions:

1. Download Notepad++ version 8.8.2 or later from official website. 2. Run the new installer. 3. The vulnerability is fixed in the installer itself.

🔧 Temporary Workarounds

Run installer from secure directory

windows

Always run Notepad++ installer from a secure directory (not Downloads) and ensure no untrusted executables are present.

Use portable version

windows

Use the portable version of Notepad++ which doesn't require installer execution.

🧯 If You Can't Patch

Educate users to only run installers from trusted directories and verify file integrity before execution.
Implement application whitelisting to prevent execution of unauthorized binaries from user directories.

🔍 How to Verify

Check if Vulnerable:

Check Notepad++ version: if using 8.8.1 or earlier installer, system is vulnerable. Also check if installer was run from directory containing other executables.

Check Version:

In Notepad++: Help > About Notepad++

Verify Fix Applied:

Verify installed Notepad++ version is 8.8.2 or later via Help > About Notepad++.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing Notepad++ installer execution from user directories (Downloads) with subsequent unexpected process execution.

Network Indicators:

Unusual outbound connections following Notepad++ installation from user workstations.

SIEM Query:

Process Creation where (Image contains 'notepad++' AND CommandLine contains 'install') AND (ParentImage contains 'explorer' OR CurrentDirectory contains 'Downloads')

📊 Metadata

CVE ID: CVE-2025-49144

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-272

EPSS Score: 0.01% exploit probability (1.4th percentile)

Published: June 23, 2025

Last Updated: December 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49144, you might also want to check these: