Security Advisory: A high-severity privilege escalation vulnerability has been discovered in the Notepad++ v8.8.1 and prior installer, which allows local attackers to gain SYSTEM-level privileges through uncontrolled executable search paths (binary planting).

The installer searches for executable dependencies in the current working directory without verification, allowing attackers to place malicious executables that will be loaded with SYSTEM privileges during installation.

OEM	Notepad++
Severity	High
CVSS Score	7.3
CVEs	CVE-2025-49144
POC Available	Yes
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

Exploitation requires minimal user interaction and a public Proof of Concept (PoC) is available. The issue is resolved in version v8.8.2. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
​Privilege Escalation Vulnerability	CVE-2025-49144	Notepad++	High	v8.8.2

Technical Summary 

The Notepad++ installer improperly searches for executable dependencies in the current directory without verifying their authenticity.

This insecure behavior allows attackers to place a malicious executable (e.g. regsvr32.exe) in the same directory as the installer. Upon execution the malicious file is loaded with SYSTEM-level privileges, granting full control over the machine. 

In real world scenario, an attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder – which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-49144	Notepad++ v8.8.1 and prior.	The installer invokes executables without absolute path (e.g. regsvr32), allowing a malicious binary in the same directory to be executed with elevated privileges.	SYSTEM privilege escalation and full machine control

Proof of Concept (PoC): 

• Execution Flow: Attacker places a fake regsvr32.exe in the same directory as the Notepad++ installer. 

• Trigger: When the user runs the installer, it loads the attacker’s file with SYSTEM privileges. 

• Evidence: 

• Process Monitor logs confirm that the installer is searching for executables in the local directory. 

• A video demonstration confirms successful SYSTEM-level access via reverse shell. 

• Public PoC materials are hosted and shared, confirming reproducibility 

Remediation: 

• Immediate Action: Upgrade to Notepad++ v8.8.2 or later which explicitly sets absolute paths when invoking executables like regsvr32. 

Recommendations: 

• Configuration Check: Avoid executing installers from user-writable locations like the Downloads folder. Ensure installers are run from isolated, trusted directories. 

• Best Practice: Adopt Microsoft’s secure library and binary loading practices. 

• Environment Hardening: Implement endpoint detection for binary planting, restrict execution in commonly targeted directories. 

Conclusion: 
CVE-2025-49144 is a critical privilege escalation vulnerability with a working public PoC. It leverages a fundamental flaw in the Notepad++ installer’s handling of executable paths.

Given the low barrier to exploit and high impact, especially in environments where Notepad++ is widely used, immediate remediation is strongly advised. The presence of similar flaws in past versions highlights the persistent risk of insecure software packaging. 

This is a critical security vulnerability requiring immediate attention. While Microsoft classifies some binary planting issues as “Defense-in-Depth,” the severity of gaining SYSTEM privileges with minimal user interaction warrants priority remediation.

References: 

• https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-9vx8-v79m-6m24 

• https://cybersecuritynews.com/notepad-vulnerability/