SB20251210170 - Insecure update installation in Notepad++
Published: December 10, 2025 Updated: February 13, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper verification of cryptographic signature (CVE-ID: CVE-2025-15556)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to the application does not verify certificate and signature of the downloaded update installer before installing an update. A remote attacker can perform MitM attack or place a malicious binary into the installation folder and compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Remediation
Install update from vendor's website.
References
- https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix
- https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb
- https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab
- https://notepad-plus-plus.org/news/v889-released/