{"id":23331,"date":"2025-11-27T08:00:54","date_gmt":"2025-11-27T01:00:54","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=23331"},"modified":"2026-01-20T10:25:41","modified_gmt":"2026-01-20T03:25:41","slug":"vulnerability-in-notepad","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/vulnerability-in-notepad\/","title":{"rendered":"Vulnerability in Notepad++ Turns Harmless Application into Hacker Tool"},"content":{"rendered":"<h2 id=\"heading-introduction\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Introduction<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Notepad++ is known as a free, powerful\u00a0<strong>source code editor<\/strong>\u00a0and\u00a0<strong>text editor<\/strong>\u00a0for the\u00a0<strong>Windows<\/strong>\u00a0operating system. It is popular among programmers and technical users for its lightweight nature, fast speed, and support for multiple programming languages.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">At the end of September 2025, this software encountered a dangerous\u00a0<strong>DLL hijacking<\/strong>\u00a0vulnerability identified as\u00a0<strong>CVE\u20112025\u201156383 in version V8.8.3.<\/strong>\u00a0Although the severity level is rated as\u00a0<strong>CVSS 6.5<\/strong>, which is medium, its impact on the system should not be underestimated. This vulnerability allows an attacker to replace a &#8220;trusted&#8221; DLL (for example,\u00a0<code>NppExport.dll<\/code>) with a malicious DLL of the same name, to execute illegal code when Notepad++ is launched.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/1-1763440817.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23332\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/1-1763440817.jpg\" alt=\"1 1763440817\" width=\"1280\" height=\"950\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/1-1763440817.jpg 1280w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/1-1763440817-700x520.jpg 700w\" sizes=\"(max-width: 1280px) 100vw, 1280px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">This vulnerability requires the attacker to have write permissions to the Notepad++ installation directory (or a way to place the malicious DLL in the search path).<\/span><\/p>\n<h2 id=\"heading-main-impact\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Main Impact<\/strong><\/span><\/h2>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Arbitrary code execution<\/strong>\u00a0when Notepad++ is launched &#8211; meaning if the user runs Notepad++, the malicious code will also run.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Privilege escalation<\/strong>: if Notepad++ runs with higher privileges, the attacker can use this vulnerability to escalate privileges.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Install persistency<\/strong>: the attacker can keep the malicious code in the system through this method, each time the user opens Notepad++.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Wide impact<\/strong>: Notepad++ is a popular software used by programmers, system administrators, and regular users, leading to a broad attack surface.<\/span><\/li>\n<\/ul>\n<h2 id=\"heading-exploitation-conditions\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Exploitation Conditions<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">For a\u00a0<strong>DLL hijacking<\/strong>\u00a0attack to succeed in practice, it usually requires:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Scenario 1: Write\/overwrite permissions<\/strong>\u00a0in the directory where Notepad++ loads DLLs (for example, the\u00a0<code>plugins\\NppExport\\<\/code>\u00a0directory) or another way to place the DLL file in the process&#8217;s search path.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Scenario 2:<\/strong>\u00a0The attacker already has a foothold (for example, a remote backdoor, or the user has installed malware) and uses this vulnerability to maintain persistence or escalate access.<\/span><\/li>\n<\/ul>\n<h2 id=\"heading-technical-analysis\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Technical Analysis<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">First, we need to understand a bit about the principle of\u00a0<strong>DLL hijacking.<\/strong>\u00a0<strong>&#8220;DLL hijacking&#8221;<\/strong>\u00a0is an attack technique where an application is designed to search for and load DLL libraries from paths in a specific order. If the search path includes a directory that an attacker can control or write to, they can place a malicious DLL with the same name before the official DLL, causing the program to load the malicious DLL instead of the legitimate one.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/2-1763440848.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23333\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/2-1763440848.jpg\" alt=\"2 1763440848\" width=\"1024\" height=\"409\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/2-1763440848.jpg 1024w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/2-1763440848-700x280.jpg 700w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">As mentioned above, the attacker first probes the target and identifies the vulnerable version of Notepad++ as well as the target DLL (for example,\u00a0<code>NppExport.dll<\/code>). When Notepad++ starts, it will search for and load\u00a0<code>NppExport.dll<\/code>\u00a0from the corresponding plugin directory. Here, the attacker will replace the\u00a0<code>NppExport.dll<\/code>\u00a0file with a malicious DLL and simultaneously forward functions to the original DLL so that the program continues to operate normally.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/3-1763440876.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23336\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/3-1763440876.jpg\" alt=\"3 1763440876\" width=\"1191\" height=\"406\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/3-1763440876.jpg 1191w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/3-1763440876-700x239.jpg 700w\" sizes=\"(max-width: 1191px) 100vw, 1191px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">To create a &#8220;replacement&#8221; DLL with the same export name as the original DLL, the attackers prepared a malicious file.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/4-1763440875.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23335\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/4-1763440875.jpg\" alt=\"4 1763440875\" width=\"1000\" height=\"587\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/4-1763440875.jpg 1000w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/4-1763440875-700x411.jpg 700w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">There will be a core part in the operation of this malicious file:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><code>#pragma comment(linker, \"\/EXPORT:...\")<\/code><\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">These lines instruct the linker to create exports in the new DLL. Here, export names such as <em data-start=\"300\" data-end=\"312\">beNotified<\/em>, <em data-start=\"314\" data-end=\"329\">getFuncsArray<\/em>, etc., are forwarded to the corresponding functions in <em data-start=\"385\" data-end=\"406\">original-NppExport.<\/em> The main purpose of this section is to preserve the function names that the application (Notepad++ in this campaign) expects, while redirecting the calls to the \u201coriginal\u201d DLL so the application continues to operate normally. Conceptually, this is a proxy\/forwarding technique used to hide the DLL replacement.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">And after successfully replacing it, the attacker just needs to wait for the user to open the Notepad++ application. At that point, the system will automatically load the malicious DLL, and\u00a0<code>DllMain<\/code>\u00a0or the malicious export function will execute. This allows the attacker to execute code within the process context.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/5-1763440873.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23334\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/5-1763440873.jpg\" alt=\"5 1763440873\" width=\"1280\" height=\"951\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/5-1763440873.jpg 1280w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/5-1763440873-700x520.jpg 700w\" sizes=\"(max-width: 1280px) 100vw, 1280px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">In the end, as is known, the attacker will execute arbitrary code, achieve persistence (every time Notepad++ runs), have the ability to escalate privileges if the process runs with higher permissions, or deploy the next stage (payload).<\/span><\/p>\n<h2 id=\"heading-recommendation\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Recommendation<\/strong><\/span><\/h2>\n<ol>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Update Software Patches<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Users should download and upgrade to the latest version via the link:\u00a0<a href=\"https:\/\/notepad-plus-plus.org\/downloads\/\" target=\"_blank\" rel=\"noopener nofollow\">Downloads | Notepad++<\/a><\/span><\/li>\n<\/ul>\n<\/li>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Manage File and Folder Permissions<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Limit write permissions to the application installation folder (only for administrator accounts, not regular users).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Use access control mechanisms (ACLs) to prevent unauthorized accounts from writing DLL files.<\/span><\/li>\n<\/ul>\n<\/li>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Control and Verify Auxiliary Software (DLL, Plugins)<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Only install plugins\/DLLs from trusted sources and check digital signatures if available.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Do not allow plugins\/DLLs to update automatically without verifying their legitimacy.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h2 id=\"heading-conclusion\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Conclusion<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">The vulnerability\u00a0<strong>CVE\u20112025\u201156383<\/strong>\u00a0in Notepad++ is a typical example of how an &#8220;old&#8221; technique like DLL hijacking can still pose risks when software is not properly protected. Although exploiting it requires local file write permissions, the release of a PoC shows the real danger of the vulnerability, especially in enterprise environments or shared systems.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">To protect the system, there needs to be coordination between developers and system administrators: quickly patching vulnerabilities, controlling file access permissions, monitoring DLL changes, and strengthening defense layers (antivirus, EDR, code inspection).<\/span><\/p>\n<p id=\"heading-references\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>References<\/strong><\/span><\/p>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><a href=\"https:\/\/securityonline.info\/dll-hijacking-flaw-cve-2025-56383-found-in-notepad-allowing-arbitrary-code-execution-poc-available\/\" target=\"_blank\" rel=\"noopener nofollow\">DLL Hijacking Flaw (CVE-2025-56383) Found in Notepad++, Allowing Arbitrary Code Execution, PoC Available<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><a href=\"https:\/\/github.com\/zer0t0\/CVE-2025-56383-Proof-of-Concept?tab=readme-ov-file\" target=\"_blank\" rel=\"noopener nofollow\">GitHub &#8211; zer0t0\/CVE-2025-56383-Proof-of-Concept: CVE-2025-56383-Proof-of-Concept<\/a><\/span><br \/>\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong class=\"custom-cursor-default-hover default_cursor_land\">Exclusive article by FPT IS Technology Experts<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><em>Luu Tuan Anh \u2013 FPT IS Cyber Security Center<\/em><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<\/ol>\n","protected":false},"author":21,"featured_media":23342,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[789],"dich_vu":[712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-23331","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/23331","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/23342"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=23331"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=23331"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=23331"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=23331"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=23331"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=23331"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=23331"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=23331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}