A recently discovered Notepad++ vulnerability (CVE‑2025‑15556) allows attackers to execute arbitrary code by exploiting insecure update integrity verification.
Severity level CVSS Score: 7.7/high Description: Notepad++ is a free and open-source source code editor. A vulnerability exists in Notepad++ versions prior to 8.8.9 involving the WinGUp updater, which fails to cryptographically verify downloaded update metadata and installer files. An attacker who can intercept or redirect update traffic may fraudulently supply a malicious installer that the updater will download and run. This can result in arbitrary code execution with the privileges of the user, potentially compromising the system. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory. Affected Versions: All versions prior to 8.8.9. Impact: Successful exploitation enables attackers to execute arbitrary code potentially leading to compromise of affected systems. Resolution: Update to the version 8.8.9 or later.
