🟢 CVE-2025-15556

Notepad++ WinGUp updater lacks cryptographic verification of updates, allowing man-in-the-middle attacks to deliver malicious installers. This is a client application vulnerability requiring user interaction (running the updater) and is not directly exploitable against internet-facing services.

← Back to Overview
LOW_RISK
Risk Level
7.7
CVSS Score
NETWORK
Attack Vector
Execution
ATT&CK Tactic
T1203 — Exploitation for Client Execution
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2026-02-03

Added to CISA KEV: 2026-02-12 9 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-02-13)

CVE-2025-15556 is a vulnerability affecting the WinGUp updater component of Notepad++ versions prior to 8.8.9 [2].

Here's what is known about its exploitation:

  • Internet-Facing Applications/Services: The vulnerability itself is within the Notepad++ updater, not directly an internet-facing application or service. However, exploitation relies on intercepting or redirecting update traffic, which can be facilitated by network-level attacks or DNS hijacking [1].
  • Evidence of Active Exploitation: Yes, CVE-2025-15556 has been actively exploited in the wild [1][3].
  • Attack Vectors and Exploitation Methods: An attacker can exploit this vulnerability by intercepting or redirecting the update traffic for Notepad++. This allows them to trick the updater into downloading and executing an attacker-controlled installer instead of a legitimate update. This is achieved through a man-in-the-middle attack [1].
  • Targeted Attacks: While the provided information confirms active exploitation, it does not specify whether these attacks have been used in targeted campaigns against specific organizations.
  • CISA Known Exploited Vulnerabilities (KEV) Status: CVE-2025-15556 has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog [3][4]. This indicates that CISA has evidence of active exploitation and poses a significant risk.
  • Technical Details about Internet Exploitability: The core technical detail is the lack of cryptographic verification for downloaded update metadata and installers [2]. This allows an attacker to substitute a malicious installer. When a user runs the WinGUp updater, the malicious installer is executed with the privileges of the user running Notepad++, leading to arbitrary code execution [1][2].

Sources

  1. CVE-2025-15556 - Exploits & Severity - Feedly

    CVEs. CVE-2025-15556. Proof of exploitExploited in the wild.This allows an attacker able to intercept or redirect update traffic to cause the updater to download and execute an attacker-controlled installer. Impact. An attacker positioned to intercept or redirect update traffic (such as through netw…

  2. CVE-2025-15556 Detail - NVD

    CVE-2025-15556 Detail.Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the up…

  3. Notepad++ Code Execution Flaw Exploited in the Wild, CISA Issues Alert

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in the widely used Notepad++ text editor to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2025-15556, this flaw in the WinGUp updater component enables attackers to execute arbitra…

  4. CISA Adds One Known Exploited Vulnerability to Catalog

    This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed