CVE-2025-15556
CISA KEVPublished February 12, 2026 · Updated April 3, 2026
What This Means
# CVE-2025-15556: Notepad++ WinGUp Unsigned Update Delivery Notepad++ versions using the WinGUp updater download updates without verifying the installer's cryptographic signature, allowing attackers on the network path to inject malicious code during the update process. An attacker positioned to intercept update traffic (via DNS hijacking, ARP spoofing, or BGP hijacking) can serve a malicious installer that executes with the privileges of the user running Notepad++. **Response actions:** Disable automatic updates in Notepad++ settings immediately; download updates only from the official Notepad++ GitHub releases page and verify SHA-256 hashes; deploy network segmentation and monitor for unsigned executable downloads from unexpected sources; escalate to SOC for review of endpoint logs showing WinGUp activity.
Official Description+
Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user.
Affected Products
| Vendor | Product |
|---|---|
| Notepad++ | Notepad++ |
Patch Status
Recommended Actions
- Check if your systems use any of the affected products listed above.
- Apply vendor patches immediately if available.
- This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
- Monitor vendor advisories for updates and additional mitigations.
- Review logs for indicators of compromise related to CVE-2025-15556.