Search
On this page ▾
CVE-2025-15556 — Notepad++ Download of Code Without Integrity Check Vulnerability

CVE-2025-15556

Notepad++ WinGUp Updater — No Crypto Verification of Updates; Hosting Provider Compromise Enables Trojanized Installer Delivery
⚠️ CVSS 3.1  7.5 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Notepad++ and WinGUp?

Notepad++ is one of the world's most widely used free text editors and code editors for Windows, with hundreds of millions of downloads. It ships with WinGUp (Windows Generic Updater) — an auto-update framework that checks for new Notepad++ versions and downloads installers. WinGUp downloads update metadata and installer binaries from Notepad++'s distribution infrastructure and executes them with the user's privileges.

The critical security assumption in any auto-updater is that downloaded content comes from an authentic source and has not been tampered with. Without cryptographic verification, a compromised distribution server or a network-level attacker can deliver malicious payloads indistinguishable from legitimate updates.

Overview

CVE-2025-15556 is a download-of-code-without-integrity-check vulnerability (CWE-494) in Notepad++'s WinGUp automatic updater. WinGUp downloaded and executed update packages without verifying their cryptographic signatures — meaning any attacker who could intercept or replace the download (via a compromised distribution server, DNS hijacking, or MitM attack) could deliver a trojanized installer executed silently with user privileges.

A compromise of Notepad++'s former hosting provider infrastructure in late 2025 exploited this gap — users who received updates from the compromised infrastructure during the exposure window may have installed attacker-controlled software. Notepad++ 8.8.9 fixes WinGUp to perform cryptographic integrity verification before executing downloaded updates.

Affected Versions

Product Vulnerable Fixed
Notepad++ < 8.8.9 8.8.9

Technical Details

The vulnerability (CWE-494) is in WinGUp's update download flow. When Notepad++ checks for updates:

  1. WinGUp fetches update metadata from the Notepad++ distribution server
  2. WinGUp downloads the installer binary
  3. [Missing step before fix]: WinGUp executed the installer without verifying its cryptographic hash or digital signature against a trusted reference

Without hash or signature verification, any installer served from the distribution channel (whether legitimate or attacker-controlled) is executed blindly. This is a supply-chain trust failure: the update mechanism implicitly trusted the distribution server's integrity without verification.

The fix in 8.8.9 adds cryptographic verification of downloaded packages before execution, ensuring that even if the distribution server is compromised or the download is intercepted, an unmodified authentic installer can be distinguished from a malicious replacement.

Key characteristics:

  • High complexity (AC:H) — requires attacker control of the distribution channel
  • User interaction required (UI:R) — the user must accept or trigger the update
  • Impact is full RCE with user privileges — arbitrary malware can be installed silently

Discovery

VulnCheck identified the vulnerability and reported it to the Notepad++ team on February 2, 2026.

Exploitation Context

CISA added CVE-2025-15556 to the KEV catalog on February 12, 2026, indicating the hosting provider compromise was exploited to deliver malicious updates to Notepad++ users. The Notepad++ team's advisory describes a "security incident" involving their former hosting provider, and advises users to treat any Notepad++ installation downloaded between the compromise period as potentially compromised.

Remediation

  1. Upgrade to Notepad++ 8.8.9 immediately. The CISA deadline was March 5, 2026.
  2. If you updated Notepad++ between December 2025 and February 2026, treat the installation as potentially compromised: run a full malware scan, audit installed software, and consider reinstalling Notepad++ 8.8.9 from the official GitHub release page.
  3. Download 8.8.9 directly from GitHub releases (https://github.com/notepad-plus-plus/notepad-plus-plus/releases/tag/v8.8.9) rather than via the auto-updater, to ensure the authentic version.
  4. Verify the SHA256 hash of the downloaded installer against the value published on the GitHub release page before executing it.
  5. Disable auto-updates if your organization manages Notepad++ deployments centrally — push verified versions rather than allowing auto-update.

Key Details

PropertyValue
CVE ID CVE-2025-15556
Vendor / Product Notepad++ — Notepad++
NVD Published2026-02-03
NVD Last Modified2026-02-13
CVSS 3.1 Score7.5
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-494 find similar ↗
CISA KEV Added2026-02-12
CISA KEV Deadline2026-03-05
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-03-05. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2025-12-01Notepad++ hosting provider infrastructure compromised by attackers
2026-02-02VulnCheck discovers and reports the vulnerability to Notepad++ team
2026-02-03Notepad++ 8.8.9 released with WinGUp integrity verification fix; CVE published
2026-02-12Added to CISA Known Exploited Vulnerabilities catalog
2026-03-05CISA BOD 22-01 remediation deadline

References

ResourceType
Notepad++ — Clarification on Security Incident Vendor Advisory
Notepad++ Community — v8.8.9 Vulnerability Fix Vendor Advisory
NVD — CVE-2025-15556 Vulnerability Database
CISA KEV Catalog Entry US Government
Notepad++ 8.8.9 Release Vendor Advisory

Last updated: 2026-05-17

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML