Notepad++ WinGUp updater download of code without integrity check
CVE-2025-15556 is an update integrity verification flaw in Notepad++ affecting versions prior to 8.8.9 when using the WinGUp updater. The updater downloads update metadata and installer packages without cryptographically verifying their integrity or authenticity. As a result, if an attacker can intercept, redirect, or otherwise tamper with update traffic, they can substitute attacker-controlled update content that WinGUp will accept and execute. The issue has been described as a supply-chain style weakness in the update mechanism rather than a memory corruption bug in the editor itself. Public reporting states the flaw was exploited in the wild in a campaign attributed to the China-nexus threat actor Lotus Blossom/Lotus Panda, which used the weakness to deliver malicious installers and payloads including Cobalt Strike Beacon and the Chrysalis backdoor.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
Repository contains a proof-of-concept for an update integrity verification bypass in Notepad++ (WinGUp updater) affecting versions prior to 8.8.9, where an attacker who can intercept or redirect update traffic can supply malicious update metadata that causes the updater to download and execute an attacker-controlled installer. Structure and purpose: - README.md: Describes the affected software (Notepad++ < 8.8.9 with WinGUp), the vulnerability (update metadata integrity verification bypass), and the threat model (MITM/redirect update traffic). Mentions two included approaches: a MITM proxy-like server (exploit.py) and an HTB-friendly DNS spoofing simulation (exploit.sh). - exploit.py: Implements a minimal HTTPS server bound to 0.0.0.0:443 using a local TLS cert (./server.pem). When a client requests a path containing "update.xml", it returns an XML manifest with a fake checksum and a download URL pointing to https://attacker.com/malicious_installer.exe. Any other path returns 404. This demonstrates how a malicious update manifest could be served to the updater. - exploit.sh: Demonstrates a lab/CTF-style redirection by appending an entry to /etc/hosts mapping notepad-update.org to 192.168.1.5, then starts a simple Python HTTP server on port 80 serving the /malicious_installer directory in the background. This simulates DNS poisoning/traffic redirection and hosting of the malicious installer. Exploit capabilities: - Network-based traffic redirection/MITM scenario: serve attacker-controlled update metadata (update.xml). - Indirect code execution: by causing the updater to fetch and run a malicious installer referenced in the manifest. Notes/limitations: - The PoC does not include a real malicious installer payload; it only demonstrates serving a manifest and (in the shell script) hosting a directory that would contain the installer. - The Python server is HTTPS on 443, while the shell script hosts content on HTTP 80; aligning with the real updater’s expected scheme/hostnames would be required for a working end-to-end exploit in a real environment.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
41 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability in the WinGUp updater used by Notepad++ versions prior to 8.8.9 that fails to cryptographically verify downloaded update metadata and installers, enabling update-channel hijacking and malicious installer delivery.
A supply-chain enabling flaw described as missing/insufficient integrity verification in the Notepad++ WinGUp updater/update channel, enabling selective delivery of trojanized updates and installation of the Chrysalis backdoor.
A supply-chain/update mechanism hijack affecting Notepad++ update traffic, where attackers redirected certain users to malicious servers to deliver a poisoned update (used to deliver the Chrysalis backdoor).
A Notepad++ update integrity weakness where update metadata and installers were not cryptographically verified, enabling malicious updates in a supply-chain scenario (not the initial hosting compromise itself).
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.