How to fix CVE-2025-15556?

Within 24 hours: Notify all users to disable automatic updates in Notepad++ (Settings > Auto-Update > disable WinGUp) and restrict manual updates to official downloads only. Within 7 days: Upgrade all Notepad++ installations to version 8.8.9 or later via controlled deployment; coordinate with endpoint management to push updates organization-wide. Within 30 days: Verify 100% upgrade completion through asset inventory and endpoint scanning; audit logs for any suspicious update activity during the vulnerability window.

CVE-2025-15556

HIGH

2026-02-03 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Added to CISA KEV

Feb 13, 2026 - 14:03 cisa

CISA KEV

Patch Released

Feb 13, 2026 - 14:03 nvd

Patch available

CVE Published

Feb 03, 2026 - 01:15 nvd

HIGH 7.5

Description

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.

Analysis

Notepad++ versions prior to 8.8.9 contain an update integrity verification vulnerability (CVE-2025-15556) when using the WinGUp updater. The update mechanism fails to cryptographically verify downloaded metadata and installers, allowing man-in-the-middle attackers to serve malicious executables during the update process. KEV-listed, this supply chain risk affects one of the most widely used text editors on Windows.

Technical Context

The WinGUp updater used by Notepad++ checks for updates and downloads installers over the network. Neither the update metadata (version check, download URL) nor the downloaded installer binary is cryptographically verified (no digital signature validation, no hash verification). An attacker in a network position to intercept or redirect HTTP/HTTPS traffic can serve a modified update manifest pointing to a malicious installer, or directly replace the installer binary during download.

Affected Products

['Notepad++ prior to version 8.8.9 (when using WinGUp updater)']

Remediation

Update Notepad++ to 8.8.9 or later immediately. Download updates only from the official Notepad++ website. Verify installer signatures before execution. Consider deploying Notepad++ updates through centralized software management rather than auto-update.

Priority Score

Low Medium High Critical

KEV: +50

EPSS: +4.3

CVSS: +38

POC: 0

CVE-2025-15556 vulnerability details – vuln.today

Back

CVE-2025-15556

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-15556

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code