CVE-2025-49144: Privilege Escalation via Binary Planting in Notepad++ Installer

Published Date: June 24, 2025
Category: ShadowOpsIntel
Share:

CVE-2025-49144 is a high-severity local privilege escalation vulnerability found in the Notepad++ v8.8.1 installer. This vulnerability stems from uncontrolled executable search path behavior during installation, allowing a local attacker to gain SYSTEM-level privileges by placing malicious executables in the same directory as the installer.

Severity Level: High

Vulnerability Details

  • Type: Uncontrolled Search Path / Binary Planting
  • CWE IDs: CWE-427, CWE-272, CWE-276
  • CVSS Score: 7.3
  • Affected Versions: Notepad++ v8.8.1 installer and prior
  • Fixed Version: Notepad++ v8.8.2 installer
  • Impact: Local Privilege Escalation to NT AUTHORITY\SYSTEM

Root Cause

The Notepad++ v8.8.1 installer invokes system binaries like regsvr32 without specifying absolute paths. When executed from a directory such as Downloads, where users have write permissions, the installer can be tricked into side loading a malicious executable placed by an attacker, leading to binary planting.

Exploitation Of The Vulnerability

Steps to Exploit:

  1. Preparation: Attacker crafts a malicious executable named regsvr32.exe.
  2. Delivery: Use of social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable
  3. Placement: The malicious file is placed in the same directory as the Notepad++ installer (e.g., user’s Downloads folder).
  4. Trigger: The user runs the installer.
  5. Execution: Installer loads and runs the malicious executable with SYSTEM privileges.
  6. Outcome: Arbitrary code execution with full system-level access.

Tools Used

  • blghtd (networking binary for tasking and communication)
  • jvnlpe (watchdog for ensuring main binaries stay active)
  • cisz (initial setup tool for launching binaries)
  • libguic.so (injected library for process manipulation)
  • tcpdump, nbtscan, openLDAP (for sniffing traffic and managing network data)
  • dskz (process injection tool)
  • ldnet (GoLang-based reverse SSH client, UPX packed)

Recommendations

  1. Upgrade immediately to Notepad++ v8.8.2 or later, which corrects the use of unsafe path references.
  2. Apply AppLocker, Windows Defender Application Control (WDAC), or Software Restriction Policies (SRP) to:
    • Block execution of binaries from user-writeable directories.
    • Deny unauthorized binaries like regsvr32.exe from running in non-standard paths.
    • Implement digital signature verification of loaded executables.
    • Scan installer directories for unauthorized files (e.g., regsvr32.exe, dllhost.exe)

Source:

  • https://gbhackers.com/notepad-vulnerability/
  • https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-9vx8-v79m-6m24
  • https://nvd.nist.gov/vuln/detail/CVE-2025-49144

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert