84 24 7300 7373 [email protected]
Log in
Contact us
Expert Sharing

Vulnerability in Notepad++ Turns Harmless Application into Hacker Tool

Date 27/11/2025

Share:

Notepad++ is known as a free, powerful source code editor and text editor for the Windows operating system. It is popular among programmers and technical users for its lightweight nature, fast speed, and support for multiple programming languages.

At the end of September 2025, this software encountered a dangerous DLL hijacking vulnerability identified as CVE‑2025‑56383 in version V8.8.3. Although the severity level is rated as CVSS 6.5, which is medium, its impact on the system should not be underestimated. This vulnerability allows an attacker to replace a “trusted” DLL (for example, NppExport.dll) with a malicious DLL of the same name, to execute illegal code when Notepad++ is launched.

1 1763440817

This vulnerability requires the attacker to have write permissions to the Notepad++ installation directory (or a way to place the malicious DLL in the search path).

  • Arbitrary code execution when Notepad++ is launched – meaning if the user runs Notepad++, the malicious code will also run.
  • Privilege escalation: if Notepad++ runs with higher privileges, the attacker can use this vulnerability to escalate privileges.
  • Install persistency: the attacker can keep the malicious code in the system through this method, each time the user opens Notepad++.
  • Wide impact: Notepad++ is a popular software used by programmers, system administrators, and regular users, leading to a broad attack surface.

For a DLL hijacking attack to succeed in practice, it usually requires:

  • Scenario 1: Write/overwrite permissions in the directory where Notepad++ loads DLLs (for example, the plugins\NppExport\ directory) or another way to place the DLL file in the process’s search path.
  • Scenario 2: The attacker already has a foothold (for example, a remote backdoor, or the user has installed malware) and uses this vulnerability to maintain persistence or escalate access.

First, we need to understand a bit about the principle of DLL hijacking. “DLL hijacking” is an attack technique where an application is designed to search for and load DLL libraries from paths in a specific order. If the search path includes a directory that an attacker can control or write to, they can place a malicious DLL with the same name before the official DLL, causing the program to load the malicious DLL instead of the legitimate one.

2 1763440848

As mentioned above, the attacker first probes the target and identifies the vulnerable version of Notepad++ as well as the target DLL (for example, NppExport.dll). When Notepad++ starts, it will search for and load NppExport.dll from the corresponding plugin directory. Here, the attacker will replace the NppExport.dll file with a malicious DLL and simultaneously forward functions to the original DLL so that the program continues to operate normally.

3 1763440876

To create a “replacement” DLL with the same export name as the original DLL, the attackers prepared a malicious file.

4 1763440875

There will be a core part in the operation of this malicious file:

  • #pragma comment(linker, "/EXPORT:...")
    • These lines instruct the linker to create exports in the new DLL. Here, export names such as beNotified, getFuncsArray, etc., are forwarded to the corresponding functions in original-NppExport. The main purpose of this section is to preserve the function names that the application (Notepad++ in this campaign) expects, while redirecting the calls to the “original” DLL so the application continues to operate normally. Conceptually, this is a proxy/forwarding technique used to hide the DLL replacement.

And after successfully replacing it, the attacker just needs to wait for the user to open the Notepad++ application. At that point, the system will automatically load the malicious DLL, and DllMain or the malicious export function will execute. This allows the attacker to execute code within the process context.

5 1763440873

In the end, as is known, the attacker will execute arbitrary code, achieve persistence (every time Notepad++ runs), have the ability to escalate privileges if the process runs with higher permissions, or deploy the next stage (payload).

  1. Update Software Patches

  2. Manage File and Folder Permissions

    • Limit write permissions to the application installation folder (only for administrator accounts, not regular users).
    • Use access control mechanisms (ACLs) to prevent unauthorized accounts from writing DLL files.

  3. Control and Verify Auxiliary Software (DLL, Plugins)

    • Only install plugins/DLLs from trusted sources and check digital signatures if available.
    • Do not allow plugins/DLLs to update automatically without verifying their legitimacy.

The vulnerability CVE‑2025‑56383 in Notepad++ is a typical example of how an “old” technique like DLL hijacking can still pose risks when software is not properly protected. Although exploiting it requires local file write permissions, the release of a PoC shows the real danger of the vulnerability, especially in enterprise environments or shared systems.

To protect the system, there needs to be coordination between developers and system administrators: quickly patching vulnerabilities, controlling file access permissions, monitoring DLL changes, and strengthening defense layers (antivirus, EDR, code inspection).

  1. DLL Hijacking Flaw (CVE-2025-56383) Found in Notepad++, Allowing Arbitrary Code Execution, PoC Available
  2. GitHub – zer0t0/CVE-2025-56383-Proof-of-Concept: CVE-2025-56383-Proof-of-Concept
    Exclusive article by FPT IS Technology Experts

    Luu Tuan Anh – FPT IS Cyber Security Center
Share:
Avatar

FPT IS

Related news

Building Transparent ESG Reports and Why it Matters

Expert Sharing - 6 November, 2025

Building Transparent ESG Reports and Why it Matters

Convergence of Automotive and Technology in Smart Transportation Industry

Expert Sharing - 28 June, 2024

Convergence of Automotive and Technology in Smart Transportation Industry

PassiveNeuron – a mysterious APT campaign targeting global industrial infrastructure

Expert Sharing - 25 December, 2025

PassiveNeuron – a mysterious APT campaign targeting global industrial infrastructure

Identify risks in IT projects

Expert Sharing - 16 July, 2024

Identify risks in IT projects

Ozone Layer Recovery: How it affects Vietnam

Expert Sharing - 29 October, 2025

Ozone Layer Recovery: How it affects Vietnam

A Guide for Company Decision Makers: Choosing Between ISO 14064 and ISO 14067

Expert Sharing - 17 June, 2024

A Guide for Company Decision Makers: Choosing Between ISO 14064 and ISO 14067

Vietnam: Common Categories of Carbon Credits

Expert Sharing - 9 October, 2025

Vietnam: Common Categories of Carbon Credits

Digital data warehouse: The heart of digital transformation

Expert Sharing - 25 June, 2024

Digital data warehouse: The heart of digital transformation

Digital Archiving – From demand to ArchiveNex solution

Expert Sharing - 24 May, 2024

Digital Archiving – From demand to ArchiveNex solution

Secure e-contracts: Identity is key

Expert Sharing - 16 October, 2024

Secure e-contracts: Identity is key

Img Contact

Sign up to receive the latest news from FPT IS

    Bot Avatar