[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2025-15556 Notepad++ Download of Code Without Integrity Check Vulnerability

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Thu Feb 12 14:37:11 PST 2026 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2025-15556 Notepad++ Download of Code Without Integrity Check Vulnerability. Because public disclosure of a critical remote code execution vulnerability and availability of vendor remediation guidance, we are providing this in-depth information.

History: Notepad++ disclosed CVE-2025-15556 on 02/03/2026 and was publicly disclosed via vendor advisory and NVD publication. Currently the CVSS v4.x base score is 7.7 (High) which was provided by VulnCheck. CVSSv3 has not been announced by NIST as of the release of this notification.

Affected Versions

  *   Notepad++ versions prior to 8.8.9

Fixed Versions

  *   Notepad++ versions newer than 8.8.9

Vendor Advisory: https://notepad-plus-plus.org/news/clarification-security-incident/

Intelligence: On February 12, 2026, CISA has listed the vulnerability in the Known Exploited Vulnerabilities Catalog.

Exploitability Level: Low Complexity, Network Exploitability
Complexity: Low
User Interaction: None
Remotely Exploitable: Yes
Proof of Concept: Public technical details available
Zero Day: No

Workarounds: Below are the following workarounds for this vulnerability:


  *   Restrict external access to the vulnerable service.
  *   Disable the WinGUp auto-updater by deleting or renaming GUP.exe in the Notepad++ installation directory.
  *   Block GUP.exe from making outbound network connections via firewall rules.

How it Works: The attack requires the adversary to position themselves to intercept or redirect network traffic between the victim's system and the update servers. This can be achieved through various techniques including DNS spoofing, ARP poisoning, compromised network infrastructure, or rogue Wi-Fi access points. Once in position, the attacker can serve a malicious installer that the WinGUp updater will download and execute without question. Download of Code Without Integrity Check (CWE:494).

Post-Exploit Impact: An attacker will be able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.

Indicators of Compromise (IoCs): Additionally, besides the below IoCs for this vulnerability, IoCs can be found on Rapid7 website: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

Type
Value
Description / Notes
Log Artifact
Unexpected or malformed requests to vulnerable endpoint
Look for abnormal payload sizes, encoded input, or unusual HTTP parameters

Tenable Plugins: As of 02/12/2026, Tenable has provided the following plugin for this CVE:

Plugin ID
Plugin Title
Severity
297910<https://www.tenable.com/plugins/nessus/297910>
Notepad++ < 8.8.9 Update Integrity Verification Vulnerability
Critical

Recommended Actions:

Date Added to KEV Catalog: 02/12/2026
Due Date for Remediation: 03/08/2026


  *   Downloading installers directly from the official website and verifying digital signatures
  *   Apply vendor patches immediately to all affected systems
  *   Prioritize externally exposed assets and validate remediation through authenticated scanning
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DC9C2C.D9FD1C10]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260212/3e273fce/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260212/3e273fce/attachment-0001.png>

More information about the CDP-development mailing list