Notepad++ Vulnerability Lets Attackers Take Full System Control; PoC Released

A vulnerability in Notepad++ could let attackers gain SYSTEM-level privileges through a simple local exploit.

Critical installer bug leaves systems exposed

A newly identified vulnerability in version 8.8.1 of Notepad++ , the popular text and source code editor, has sparked concern among security professionals.

The flaw, tracked as CVE-2025-49144, could let attackers seize full control of affected Windows systems, if left unpatched. It stems from a misconfigured executable search path in the application’s installer, which can be exploited to escalate privileges to SYSTEM level.

The issue revolves around binary planting, a form of attack where threat actors drop a malicious file in a location where a trusted application expects to find legitimate components.

In this case, the Notepad++ installer inadvertently prioritizes executables in its own working directory, enabling unauthorized code execution during installation.

Proof-of-Concept released

Security researchers have already published a working Proof-of-Concept (PoC) that includes logs and video evidence of the vulnerability’s exploitation, demonstrating how the installer searches the current directory for executables without validating their origin.

By placing a maliciously crafted file, like a spoofed regsvr32.exe, in the same folder as the installer, an attacker can hijack the installation process and execute code with elevated privileges.

Although the exploit requires either local access or social engineering, the low level of interaction needed raises concerns. A user simply launching the installer from their Downloads folder alongside a malicious payload could unknowingly compromise their entire system.

Widespread impact across user base

Notepad++ currently boasts a large, loyal global user base, particularly among developers and IT professionals. With over 1.6 million monthly visits to its official website and a significant share of the code editing market, the scale of potential exposure is substantial.

Corporate environments are particularly vulnerable, as threat actors can use compromised systems as entry points for broader network intrusions. Attackers may exploit the software’s trusted status to leverage such vulnerabilities in targeted attacks or advanced persistent threats.

Notepad++ response and mitigation

In response to the disclosure of the vulnerability, Notepad++ developers have released version 8.8.2, which addresses the flaw by strengthening executable loading practices and enforcing secure path resolution.

Users should prioritize updating to the latest version to avoid attacks leveraging this flaw. More so, running installers in isolated directories, using endpoint protection such as Bitdefender Ultimate Security, which can detect suspicious behavior, and implementing stricter application controls can further enhance your cyber resilience.