CVE-2025-15556
Published: 03 February 2026
Summary
CVE-2025-15556 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Notepad-Plus-Plus Notepad\+\+. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 9.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires integrity monitoring and verification of software and firmware to prevent installation and detect unauthorized changes in tampered update metadata and installers.
Mandates the use of cryptographically signed software components, directly enforcing verification missing in the WinGUp updater.
Enforces verification of component authenticity prior to use, mitigating risks from attacker-intercepted or redirected update installers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows interception and substitution of update metadata/installers without integrity checks, enabling compromise of the software supply chain to deliver and execute malicious code.
NVD Description
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to…
more
download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
Deeper analysisAI
CVE-2025-15556 is an update integrity verification vulnerability affecting Notepad++ versions prior to 8.8.9 when using the WinGUp updater. The flaw, classified under CWE-494 (Download of Code Without Integrity Check), arises because downloaded update metadata and installers lack cryptographic verification. This was published on 2026-02-03 with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
An attacker capable of intercepting or redirecting network traffic to the update servers can exploit this during an update check. A victim user must trigger the updater and approve the process (user interaction required), at which point the updater downloads and executes a malicious installer controlled by the attacker. This leads to arbitrary code execution with the privileges of the logged-in user.
Notepad++ advisories and patches recommend updating to version 8.8.9, which addresses the issue through commits in the Notepad++ and WinGUp repositories adding cryptographic verification for updates. Vendor announcements detail the fix and provide incident information related to a hijacked update event.
Vulncheck and community discussions confirm the vulnerability's resolution in the patched release, emphasizing the importance of verifying update integrity in auto-updaters.
Details
- CWE(s)
- KEV Date Added
- 12 February 2026