—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Privilege Escalation Vulnerability in Notepad++ 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Notepad++  version 8.8.1 and prior

Overview

A vulnerability has been reported in Notepad++, which could be exploited by an attacker to gain system-level privileges on the targeted system.

Target Audience:

All organizations and individuals using Notepad++

Impact Assessment:

Potential for unauthorized access

Risk Assessment:

High risk of system compromise

Description

The vulnerability exist in Notepad++ due to insecure uncontrolled executable search path behaviour during installation. An attacker could exploit this vulnerability by persuading (social engineering or clickjacking) a victim to download both the legitimate installer and a malicious executable to the same directory.

Successful exploitation of this vulnerability could allow an attacker to gain system-level privileges on the targeted system.

Solution

Apply appropriate fixes mentioned by:

Github

https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-9vx8-v79m-6m24

GBHackers

https://gbhackers.com/notepad-vulnerability/

Vendor Information

Notepad++

https://notepad-plus-plus.org/

References

Github

https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-9vx8-v79m-6m24

GBHackers

https://gbhackers.com/notepad-vulnerability/

CVE Name

CVE-2025-49144

– – – —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: 1800-11-4949

FAX: 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmhcDXgACgkQ3jCgcSdc

ys+w5g/9Hy7kSKMq07LPuIOeemuEMtBRIgo561+u12j5Q5gxCwi91EGZsQX3oId5

GgUfibIpIT9sJcYKPHprtaCjGkmjPsB+y0PYdMkQayfGtMOK+x7HDaxBvcT+pu3M

esHWyJEH9n30OD/cJQY2F/H62jVvRFhegOxwnj9k26NHnKaO1hp1jmA5zPWsLV4x

XTO2Kr08pnnns7KQa6OZuhswqHJoSEjPNd3NyQi/lN5BnwARFpgfHuY0RttxJuU8

xWJ5TPLhe6RMtWBcbUFmqgZGJ8bB/9ISR3kD3qFqV3iHRyW1tF6ZKOercYCXiFFL

4TbvKrWaFU8cOQb3/HTTRrOjSslKkz+0v1hS1Z7l+7yobe12vdrPVLdb/VR+70yx

PXRolJoBxzIjaKd6Ik09Y4qtnV731+ROcdTYmckvqRPkw949Am/JkNdm0c0p68hj

xMzgnFmepYykv4FCAYRD5+JcfImkcDW+oUpC2pRABhDzY6DdIHRnedfwPJbp2Fsa

WL4riqKjQOA43a0YoSt30LzABSp8Vz2tioc7mb5E091bautLQuAosJ6s16JsuP/o

Pv7JwxSd+5UJlZLBWC25dL6ZUkWqrw/hbJwEtHg9ZJB506xC6JrImPdf7TEtSRSa

+1yjymvAEKImOjXhZGymKy4HTemamld89YfsUjJJG0YlvE74GNM=

=HmR3

—–END PGP SIGNATURE—–