Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
A dangerous vulnerability has been discovered in the latest version of the popular text editor Notepad++ that allows an attacker togain complete control over the system. The vulnerability has been identified as CVE-2025-49144 and affects version 8.8.1 of the installer, released on May 5, 2025. The issue is related to the “binary file replacement” technique, where the installer accesses executable files from the current working directory without proper verification.
Researchers have discovered that an attacker can install a malicious file, such as a modified regsvr32.exe file, in the same folder where the installer is located. Upon startup, the installer will automatically download the malicious file with SYSTEM privileges, allowing the attacker to completely access the victim’s computer.
Researchers from Red Hot Cyber’s HackerHood group wanted to test the exploit in circulation and reproduced its operation in this video, made by Manuel Roccon.
The problem is particularly serious a due to Notepad++’s large audience, which includes developers, IT professionals, and business users. As of June 2025, the editor’s website received over 1.6 million monthly visits, and the program itself occupied approximately 1.33% of the IDE and text editor market. This means that hundreds of thousands of installations worldwide remain potentially vulnerable.
Notepad++ has already encountered similar security issues. In particular, in 2023, the vulnerabilities CVE-2023-6401 and CVE-2023-47452 were identified and fixed, also related to DLL loading hijacking and privilege escalation. The new incident confirms the growing trend of attacks through software supply chains and vulnerabilities in installers.
Notepad++ developers promptly released update 8.8.2, which fixes the vulnerability. The new version implements checking of absolute paths of dependent files and safe loading of libraries, in accordance with Microsoft recommendations. Users are strongly advised to update as soon as possible.
Security experts recommend running installers only from trusted directories, using modern protection systems from attacks, and carefully monitoring the ways in which programs are installed. It is also recommended to usewhitelisting policies and advanced monitoring of the installation process.
This case illustrates the importance of considering security issues when developing installers,especially forwidely used software.
