Full Report
Notepad++ has released a security fix to plug gaps that were exploited by an advanced threat actor from China to hijack the software update mechanism to selectively deliver malware to targets of interest. The version 8.9.2 update incorporates what maintainer Don Ho calls a "double lock" design that aims to make the update process "robust and effectively unexploitable." This includes verification
Analysis Summary
# Vulnerability: Notepad++ Update Mechanism Hijacking and Unsafe Search Path
## CVE Details
- **CVE ID:** CVE-2025-15556 (Update Hijack); CVE-2026-25926 (Unsafe Search Path)
- **CVSS Score:** 7.7 (High) for CVE-2025-15556; 7.3 (High) for CVE-2026-25926
- **CWE:** CWE-426: Untrusted Search Path (for CVE-2026-25926)
## Affected Systems
- **Products:** Notepad++ and its auto-updater component, WinGUp.
- **Versions:**
- Versions prior to 8.8.9 (lacked installer signature verification).
- Versions prior to 8.9.2 (vulnerable to XML hijacking and unsafe search path).
- **Configurations:** Systems utilizing the auto-update feature and environments where an attacker can control the process working directory.
## Vulnerability Description
There are two primary flaws addressed in this update:
1. **Update Mechanism Hijack (CVE-2025-15556):** A hosting provider breach allowed attackers to redirect update requests. The legacy mechanism lacked sufficient "double-lock" verification, meaning the application did not adequately verify the signature of the XML metadata returned by the update server, potentially allowing the delivery of poisoned updates.
2. **Unsafe Search Path (CVE-2026-25926):** WinGUp launched Windows Explorer without using an absolute executable path. If an attacker placed a malicious `explorer.exe` in the application's working directory, the system would execute the malicious file instead of the legitimate utility.
## Exploitation
- **Status:** **Exploited in the wild.** Attributed to "Lotus Panda" (China-nexus).
- **Complexity:** Medium (Requires hosting-level access or directory control).
- **Attack Vector:** Network (Update hijacking) / Local (Search path exploitation).
## Impact
- **Confidentiality:** High (Backdoor "Chrysalis" allows data theft).
- **Integrity:** High (Unauthorized software modification and arbitrary code execution).
- **Availability:** High (Potential for full system takeover).
## Remediation
### Patches
- **Notepad++ Version 8.9.2:** This version implements the "double-lock" design to verify both the XML update metadata and the installer signature. It also fixes the unsafe search path flaw.
### Workarounds
- Disable the auto-update feature and manually download installers from the official website.
- Verify the digital signature of the Notepad++ installer manually before execution.
## Detection
- **Indicators of Compromise:** Presence of the "Chrysalis" backdoor; unusual outbound traffic to non-standard domains during a Notepad++ update event.
- **Detection methods and tools:**
- Monitor for `explorer.exe` being launched from unusual directories (not `C:\Windows\`).
- Verify WinGUp logs for redirects to domains other than `notepad-plus-plus[.]org` or `github.com`.
## References
- **Notepad++ Official Release:** hxxps://notepad-plus-plus[.]org/news/v892-released/
- **GitHub Advisory:** hxxps://github[.]com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-rjvm-fcxw-2jxq
- **Threat Research:** hxxps://thehackernews[.]com/2026/02/notepad-hosting-breach-attributed-to.html