CVE-2025-15556

HIGH KEV

Notepad++ < 8.8.9 - Download of Code Without Integrity Check in WinGUp Updater

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-15556 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 12, 2026. EIP tracks 3 public exploits from researchers including XiaomingX, George0Papasotiriou, renat0z3r0.

AI-analyzed exploit summary The repository contains a functional SQL injection exploit for CVE-2025-10042, targeting WordPress Quiz Maker plugin versions <= 6.7.0.56. The exploit uses time-based blind SQLi to extract admin credentials and hashes.

Description

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.

Exploits (3)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-15556

The repository contains a functional SQL injection exploit for CVE-2025-10042, targeting WordPress Quiz Maker plugin versions <= 6.7.0.56. The exploit uses time-based blind SQLi to extract admin credentials and hashes.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Quiz Maker <= 6.7.0.56
No auth needed
Prerequisites: target WordPress URL · path to quiz page · vulnerable header for injection
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by George0Papasotiriou · poc
https://github.com/George0Papasotiriou/CVE-2025-15556-Notepad-WinGUp-Updater-RCE

This PoC demonstrates a man-in-the-middle attack against Notepad++'s WinGUp updater by serving a malicious update.xml file that bypasses integrity checks, leading to arbitrary code execution. The exploit includes a Python-based MITM proxy and a DNS spoofing simulation script.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Notepad++ versions prior to 8.8.9 with WinGUp updater
No auth needed
Prerequisites: Network position to intercept/modify update traffic · Victim initiates an update check
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by renat0z3r0 · poc
https://github.com/renat0z3r0/notepadpp-supply-chain-iocs

This repository is a comprehensive writeup and IoC collection for CVE-2025-15556, detailing a supply chain attack on Notepad++ via its WinGUp updater. It includes infection chains, detection methods, and threat hunting queries but does not contain exploit code.

Classification
Writeup 90%
Attack Type
Other
Complexity
N/a
Reliability
N/a
Target: Notepad++ (pre-v8.8.9)
No auth needed
Prerequisites: N/A
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References

Scores

CVSS v3 7.5
EPSS 0.0912
EPSS Percentile 92.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2026-02-12
VulnCheck KEV 2026-02-02
ENISA EUVD EUVD-2025-206661
CWE
CWE-494
Status published
Products (1)
notepad-plus-plus/notepad\+\+ < 8.8.9
Published Feb 03, 2026
KEV Added Feb 12, 2026
Tracked Since Feb 18, 2026