A critical vulnerability (CVE-2025-49144) in the Notepad++ installer has been identified, potentially allowing unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. This flaw has raised concerns among users and security experts, as there is currently no evidence that the vulnerability is being actively exploited.
Developers Shashi Raj, Yatharth Tyagi, and Kunal Choudhary uncovered the vulnerability, which affects Notepad++ versions up to and including v8.8.1. Raj explained that the weakness was identified while researching DLL hijacking for privilege escalation on Windows. Users are warned that attackers could exploit this flaw through social engineering methods or clickjacking, tricking them into downloading both the legitimate installer and a malicious executable to the same directory, typically the Downloads folder, which is recognized as a vulnerable location.
When the vulnerable installer is executed, it inadvertently loads the malicious executable with SYSTEM privileges, posing a significant risk. Although a commit addressing the flaw has already been made, a stable release containing the fix is still pending. Notepad++ developer Don Ho noted that the delay in releasing version 8.8.2 was due to issues with the code signing certificate, but assured users that it would become available within a week.
In the meantime, users are strongly advised to upgrade to the patched version of Notepad++ once it is released. Furthermore, prospective users should ensure that they download the software exclusively from the official Notepad++ site and verify open-source downloads for authenticity. As concerns over cybersecurity continue to rise, this vulnerability could potentially be leveraged by malware developers, highlighting the importance of remaining vigilant against emerging threats.