Notepad++ WinGUp updater lacks cryptographic verification of updates, allowing man-in-the-middle attacks to deliver malicious installers. This is a client application vulnerability requiring user interaction (running the updater) and is not directly exploitable against internet-facing services.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: USER_INTERACTION
CVE Published: 2026-02-03
Added to CISA KEV: 2026-02-12 9 DAYS BETWEEN CVE AND KEV
CVEs. CVE-2025-15556. Proof of exploitExploited in the wild.This allows an attacker able to intercept or redirect update traffic to cause the updater to download and execute an attacker-controlled installer. Impact. An attacker positioned to intercept or redirect update traffic (such as through network-level attacks or DNS hijacking) can conduct a man-in-the-middle attack. When users run the WinGUp updater, the attacker can inject a malicious installer that will be executed with the privileges of the user running Notepad++. This results in arbitrary code execution on the affected system.
CVE-2025-15556 Detail.Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in the widely used Notepad++ text editor to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2025-15556, this flaw in the WinGUp updater component enables attackers to execute arbitrary code by intercepting update traffic without integrity checks. Developers, system ...
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.