CVE-2025-56383

HIGH

Notepad++ 8.8.3 - DLL Hijacking via Uncontrolled Search Path

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-56383. PoCs published by zer0t0.

AI-analyzed exploit summary This PoC demonstrates a DLL hijacking vulnerability in Notepad++ v8.8.3 by replacing a legitimate DLL (NppExport.dll) with a malicious one that forwards exports to the original DLL while executing arbitrary code (e.g., a MessageBox).

Description

Notepad++ v8.8.3 has a DLL hijacking vulnerability, which can replace the original DLL file to execute malicious code. NOTE: this is disputed by multiple parties because the behavior only occurs when a user installs the product into a directory tree that allows write access by arbitrary unprivileged users.

Exploits (1)

nomisec WORKING POC 55 stars
by zer0t0 · poc
https://github.com/zer0t0/CVE-2025-56383-Proof-of-Concept

This PoC demonstrates a DLL hijacking vulnerability in Notepad++ v8.8.3 by replacing a legitimate DLL (NppExport.dll) with a malicious one that forwards exports to the original DLL while executing arbitrary code (e.g., a MessageBox).

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Notepad++ v8.8.3
No auth needed
Prerequisites: Access to the target system's file system to replace the DLL · Notepad++ v8.8.3 installed
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 8.4
EPSS 0.0023
EPSS Percentile 14.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-427
Status published
Published Sep 26, 2025
Tracked Since Feb 18, 2026