Cyber Resilience

CVE-2025-15556

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
13 February 2026
KEV Added
12 February 2026
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0127 66.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2025-15556 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Notepad-Plus-Plus Notepad\+\+. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 34.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2025-15556 is an update integrity verification vulnerability affecting Notepad++ versions prior to 8.8.9 when using the WinGUp updater. The flaw, classified under CWE-494 (Download of Code Without Integrity Check), arises because downloaded update metadata and installers lack cryptographic verification. This was published on 2026-02-03 with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker capable of intercepting or redirecting network traffic to the update servers can exploit this during an update check. A victim user must trigger the updater and approve the process (user interaction required), at which point the updater downloads and executes a malicious installer controlled by the attacker. This leads to arbitrary code execution with the privileges of the logged-in user.

Notepad++ advisories and patches recommend updating to version 8.8.9, which addresses the issue through commits in the Notepad++ and WinGUp repositories adding cryptographic verification for updates. Vendor announcements detail the fix and provide incident information related to a hijacked update event.

Vulncheck and community discussions confirm the vulnerability's resolution in the patched release, emphasizing the importance of verifying update integrity in auto-updaters.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to…

more

download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.

CWE(s)
KEV Date Added
12 February 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

The vulnerability allows interception and substitution of update metadata/installers without integrity checks, enabling compromise of the software supply chain to deliver and execute malicious code.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25926Same product: Notepad-Plus-Plus Notepad\+\+
CVE-2026-3502Shared CWE-494both on KEV
CVE-2026-9089Shared CWE-494
CVE-2026-27180Shared CWE-494
CVE-2026-2999Shared CWE-494
CVE-2025-69263Shared CWE-494
CVE-2026-3000Shared CWE-494
CVE-2025-1058Shared CWE-494
CVE-2026-40066Shared CWE-494
CVE-2025-56513Shared CWE-494

Affected Assets

notepad-plus-plus
notepad\+\+
≤ 8.8.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Requires integrity monitoring and verification of software and firmware to prevent installation and detect unauthorized changes in tampered update metadata and installers.

prevent

Mandates the use of cryptographically signed software components, directly enforcing verification missing in the WinGUp updater.

prevent

Enforces verification of component authenticity prior to use, mitigating risks from attacker-intercepted or redirected update installers.

References