DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-15556: Notepad++ Update Hijack: When Your Text Editor Writes Back

#security #cve #cybersecurity

Notepad++ Update Hijack: When Your Text Editor Writes Back

Vulnerability ID: CVE-2025-15556
CVSS Score: 7.7
Published: 2026-02-03

For years, Notepad++ has been the Swiss Army knife of developers—lightweight, reliable, and omnipresent. But in mid-2025, it became a Trojan Horse. CVE-2025-15556 reveals a catastrophic failure in the updater mechanism (WinGUp) where binary integrity checks were non-existent. This allowed the Lotus Blossom APT to compromise the official hosting infrastructure and serve a malicious backdoor disguised as a standard update, turning developer workstations into beachheads for espionage.

TL;DR

Notepad++ versions before 8.8.9 failed to verify the digital signature of updates downloaded via the generic WinGUp updater. Attackers compromised the update server, swapping the legitimate installer for the 'Chrysalis' backdoor. Update immediately.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE: CWE-494
  • CVSS v4.0: 7.7 (High)
  • Attack Vector: Network (Man-in-the-Middle / Compromised Server)
  • Impact: Arbitrary Code Execution / Malware Installation
  • EPSS Score: 0.00038
  • Exploit Status: Active (Lotus Blossom APT)

Affected Systems

  • Notepad++ < 8.8.9
  • WinGUp Updater (Generic)
  • Notepad++: < 8.8.9 (Fixed in: 8.8.9)

Code Analysis

Commit: ce00375

WinGUp: Add WinVerifyTrust signature checks and command line flags

ADDED: WinVerifyTrust logic, Cert pinning logic
Enter fullscreen mode Exit fullscreen mode

Commit: bcf2aa6

Notepad++: Invoke updater with security flags enabled

MODIFIED: NppUpdate.cpp to add -chkCertSig -chkCertTrustChain
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Rapid7: Analysis of the Chrysalis backdoor and Lotus Blossom campaign
  • Kaspersky: Technical breakdown of the DLL side-loading chain

Mitigation Strategies

  • Update to Notepad++ v8.8.9 immediately.
  • Block GUP.exe at the firewall level if immediate patching is impossible.
  • Monitor for DLL side-loading indicators (e.g., unsigned DLLs loading into signed processes).

Remediation Steps:

  1. Download the latest installer directly from notepad-plus-plus.org (ensure HTTPS and check browser certificate).
  2. Verify the installer's digital signature manually before running: Right-click -> Properties -> Digital Signatures.
  3. Install v8.8.9+, which replaces the vulnerable GUP.exe.
  4. Scan specifically for 'log.dll' and 'BluetoothService.exe' in unexpected directories.

References

Read the full report for CVE-2025-15556 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)