A severe local privilege escalation vulnerability, tracked as CVE-2025-49144, was discovered in Notepad++ version 8.8.1, released on May 5, 2025. This flaw resides in the Notepad++ installer and allows unprivileged users to gain SYSTEM-level privileges on Windows systems through an uncontrolled executable search path, also known as binary planting.
Notepad++ is a widely used, free, open-source text and code editor for Windows. It supports multiple programming languages, offers features like syntax highlighting, multi-document editing, and is favored by developers for its speed and extensibility.
Technical Details
• Vulnerability Type: Uncontrolled EXE/DLL Search Path (Binary Planting)
• Affected Version: Notepad++ v8.8.1 installer
• Severity: High (CVSS v3.1 score 7.3)
• Impact: Local privilege escalation to NT AUTHORITY\SYSTEM
• Discovery Date: June 2025
The installer insecurely searches for executable dependencies, such as regsvr32.exe, in the current working directory without verifying their authenticity or location. An attacker can exploit this by placing a malicious executable with the same name in a directory where the user will run the installer (e.g., the Downloads folder). When the installer runs, it loads and executes the malicious executable with SYSTEM privileges, effectively giving the attacker full control of the system.
Exploitation Scenario
The attack scenario plays out as follows:
1. The attacker places a malicious executable (e.g., a fake regsvr32.exe) in a directory accessible to the victim.
2. The victim downloads and runs the Notepad++ v8.8.1 installer from that directory.
3. The installer executes the malicious executable with SYSTEM privileges.
4. The attacker gains full system control, enabling actions such as stealing data, installing persistent malware, or moving laterally within a network.
Response and Mitigation
Notepad++ quickly addressed this vulnerability by releasing version 8.8.2, which:
• Uses absolute paths for critical dependencies (e.g., referencing system directories explicitly rather than relying on the current directory).
• Implements secure temporary directories.
• Follows Microsoft’s secure library-loading guidelines to prevent binary planting attacks.
Users are strongly advised to update immediately to Notepad++ v8.8.2 or later and avoid running installers from untrusted or suspicious directories. Verifying installer integrity using SHA-256 checksums is also recommended to ensure authenticity.
This vulnerability is one of the most severe discovered in Notepad++ in recent years, surpassing previous medium-severity DLL hijacking issues. Its high impact stems from the SYSTEM-level privileges it grants upon exploitation. Proof-of-concept exploits and demonstration videos are publicly available, underscoring the urgency of patching.
