What is the CVSS score of CVE-2025-15556?

CVE-2025-15556 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 4.3%.

Is CVE-2025-15556 being actively exploited?

Yes, CVE-2025-15556 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2025-15556?

Within 24 hours: Notify all users to disable automatic updates in Notepad++ (Settings > Auto-Update > disable WinGUp) and restrict manual updates to official downloads only. Within 7 days: Upgrade all Notepad++ installations to version 8.8.9 or later via controlled deployment; coordinate with endpoint management to push updates organization-wide. Within 30 days: Verify 100% upgrade completion through asset inventory and endpoint scanning; audit logs for any suspicious update activity during the vulnerability window.

CVE-2025-15556

HIGH

Download of Code Without Integrity Check (CWE-494)

2026-02-03 disclosure@vulncheck.com

RCE

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Added to CISA KEV

Feb 13, 2026 - 14:03 cisa

CISA KEV

Patch released

Feb 13, 2026 - 14:03 nvd

Patch available

CVE Published

Feb 03, 2026 - 01:15 nvd

HIGH 7.5

DescriptionNVD

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.

AnalysisAI

Notepad++ versions prior to 8.8.9 contain an update integrity verification vulnerability (CVE-2025-15556) when using the WinGUp updater. The update mechanism fails to cryptographically verify downloaded metadata and installers, allowing man-in-the-middle attackers to serve malicious executables during the update process. KEV-listed, this supply chain risk affects one of the most widely used text editors on Windows.

Technical ContextAI

The WinGUp updater used by Notepad++ checks for updates and downloads installers over the network. Neither the update metadata (version check, download URL) nor the downloaded installer binary is cryptographically verified (no digital signature validation, no hash verification). An attacker in a network position to intercept or redirect HTTP/HTTPS traffic can serve a modified update manifest pointing to a malicious installer, or directly replace the installer binary during download.

RemediationAI

Update Notepad++ to 8.8.9 or later immediately. Download updates only from the official Notepad++ website. Verify installer signatures before execution. Consider deploying Notepad++ updates through centralized software management rather than auto-update.

CVE-2025-15556 vulnerability details – vuln.today

Back

CVE-2025-15556

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code