CVE-2025-49144: Privilege Escalation via Binary Planting in Notepad++ Installer

Published Date: June 24, 2025
Category: ShadowOpsIntel
Share:

CVE-2025-49144 is a high-severity local privilege escalation vulnerability found in the Notepad++ v8.8.1 installer. This vulnerability stems from uncontrolled executable search path behavior during installation, allowing a local attacker to gain SYSTEM-level privileges by placing malicious executables in the same directory as the installer.

Severity Level: High

Vulnerability Details

  • Type: Uncontrolled Search Path / Binary Planting
  • CWE IDs: CWE-427, CWE-272, CWE-276
  • CVSS Score: 7.3
  • Affected Versions: Notepad++ v8.8.1 installer and prior
  • Fixed Version: Notepad++ v8.8.2 installer
  • Impact: Local Privilege Escalation to NT AUTHORITY\SYSTEM

Root Cause

The Notepad++ v8.8.1 installer invokes system binaries like regsvr32 without specifying absolute paths. When executed from a directory such as Downloads, where users have write permissions, the installer can be tricked into side loading a malicious executable placed by an attacker, leading to binary planting.

Exploitation Of The Vulnerability

Steps to Exploit:

  1. Preparation: Attacker crafts a malicious executable named regsvr32.exe.
  2. Delivery: Use of social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable
  3. Placement: The malicious file is placed in the same directory as the Notepad++ installer (e.g., user’s Downloads folder).
  4. Trigger: The user runs the installer.
  5. Execution: Installer loads and runs the malicious executable with SYSTEM privileges.
  6. Outcome: Arbitrary code execution with full system-level access.

Tools Used

  • blghtd (networking binary for tasking and communication)
  • jvnlpe (watchdog for ensuring main binaries stay active)
  • cisz (initial setup tool for launching binaries)
  • libguic.so (injected library for process manipulation)
  • tcpdump, nbtscan, openLDAP (for sniffing traffic and managing network data)
  • dskz (process injection tool)
  • ldnet (GoLang-based reverse SSH client, UPX packed)

Recommendations

  1. Upgrade immediately to Notepad++ v8.8.2 or later, which corrects the use of unsafe path references.
  2. Apply AppLocker, Windows Defender Application Control (WDAC), or Software Restriction Policies (SRP) to:
    • Block execution of binaries from user-writeable directories.
    • Deny unauthorized binaries like regsvr32.exe from running in non-standard paths.
    • Implement digital signature verification of loaded executables.
    • Scan installer directories for unauthorized files (e.g., regsvr32.exe, dllhost.exe)

Source:

  • https://gbhackers.com/notepad-vulnerability/
  • https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-9vx8-v79m-6m24
  • https://nvd.nist.gov/vuln/detail/CVE-2025-49144

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

×

7th August 2026

New Delhi, India

Know more
Talk to an expert