Cyber Posture

CVE-2025-15556

HighCISA KEVActive ExploitationPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
13 February 2026
KEV Added
12 February 2026
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0609 90.8th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Description

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to…

more

download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.

Mitigating Controls (NIST 800-53 r5)AI

SI-7 Software, Firmware, and Information Integrity good match
preventdetect

Requires integrity monitoring and verification of software and firmware to prevent installation and detect unauthorized changes in tampered update metadata and installers.

CM-14 Signed Components good match
prevent

Mandates the use of cryptographically signed software components, directly enforcing verification missing in the WinGUp updater.

SR-11 Component Authenticity good match
prevent

Enforces verification of component authenticity prior to use, mitigating risks from attacker-intercepted or redirected update installers.

Security SummaryAI

CVE-2025-15556 is an update integrity verification vulnerability affecting Notepad++ versions prior to 8.8.9 when using the WinGUp updater. The flaw, classified under CWE-494 (Download of Code Without Integrity Check), arises because downloaded update metadata and installers lack cryptographic verification. This was published on 2026-02-03 with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker capable of intercepting or redirecting network traffic to the update servers can exploit this during an update check. A victim user must trigger the updater and approve the process (user interaction required), at which point the updater downloads and executes a malicious installer controlled by the attacker. This leads to arbitrary code execution with the privileges of the logged-in user.

Notepad++ advisories and patches recommend updating to version 8.8.9, which addresses the issue through commits in the Notepad++ and WinGUp repositories adding cryptographic verification for updates. Vendor announcements detail the fix and provide incident information related to a hijacked update event.

Vulncheck and community discussions confirm the vulnerability's resolution in the patched release, emphasizing the importance of verifying update integrity in auto-updaters.

Details

CWE(s)
CWE-494
KEV Date Added
12 February 2026

Affected Products

notepad-plus-plus
notepad\+\+
≤ 8.8.9

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
attack.mitre.org →
Why these techniques?

The vulnerability allows interception and substitution of update metadata/installers without integrity checks, enabling compromise of the software supply chain to deliver and execute malicious code.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References