Update software or introduce malware yourself? Notepad++ serious problem
A vulnerability in the update mechanism opened the way for attackers to distribute malicious files to users, causing huge damage to the security syste
Overview
Although Notepad++ last September released a security patch for the critical vulnerability CVE‑2025‑56383, in December Notepad++ continued to release an emergency patch 8.8.9 for a serious vulnerability in the WinGUp update tool (GUP.exe).
Detailed information about the previous vulnerability you can read in the article: "Lỗ Hổng Trong Notepad++ Biến Ứng Dụng Vô Hại Thành Công Cụ Hacker"
This vulnerability resides in the automatic update component (WinGUp) that allows an attacker to push a malicious update file to the user's machine, opening up the possibility of unauthorized code execution without significant interaction. What's worrying is that this process takes advantage of users' default trust in software updates, making detection and prevention much more difficult than traditional forms of attack.
The incident not only raises questions about the security of Notepad++ during the affected period, but also reflects a broader problem in software supply chain security - where just one weak link is enough to expose the entire system behind it. In the context of increasing attacks through the update mechanism, this incident has become a typical example of a silent but far-reaching risk.
Main impact
Risk of executing malicious code from a “trusted” source.
Expanding the supply chain attack surface.
Collect information and prepare for deep penetration.
Directly affects the business environment and SOC.
Declining trust in automatic update mechanisms.
Mining conditions
For the vulnerability in the update mechanism of Notepad++. (WinGUp) to be successfully exploited, an attacker needs to meet a number of specific technical and environmental conditions. These conditions are not too complicated, but are realistic and feasible in many current network scenarios. The main factors needed are:
Users using an unpatched version of Notepad++.
An attacker has the ability to interfere with network flows.
Technical analysis
First, we need to understand a few things about Notepad++'s update mechanism. In Notepad++, there is a component called WinGUp (GUP.exe), which is considered the component in charge of checking and downloading new updates for Notepad++. Normally:
WinGUp connects to the update server (getDownloadUrl.php) to get new version information.
The server returns the update file path as XML.
WinGUp downloads and installs that file - without checking the previous signature.
We will now detail how an attacker performs this exploit via Notepad++ software. For every documented campaign, attackers will first need to perform a reconnaissance phase and select a specific target. Here the attacker will determine:
User or organization using unpatched Notepad++ (< 8.8.9)
The network environment allows interference or manipulation of update traffic
Besides, with the reconnaissance phase the attacker can see:
Observe DNS, HTTP(S) traffic related to updater.
Specify the server, path and update file format.
After successfully performing reconnaissance, the attacker will move to phase 2. Here they will use 3 main attack techniques including:
Man-in-the-Middle (MITM) on Wi-Fi/proxy/gateway.
DNS hijacking/poisoning to point the updated domain to a fake server.
Traffic hijacking at the ISP or intermediary infrastructure level.
The main goal of this phase 2 is to modify the response from the update server, especially the URL pointing to the update file. As mentioned above, Update files act as an intermediary point to download malicious code.
Moving to the next stage, the attacker will distribute fake update files (Malicious Update Injection). The attacker prepares a fake executable file "autoupdater.exe". This file will be located at the attackers' Server C2. As mentioned before, WinGUp (GUP.exe) will execute the XML/metadata response when updating Notepad++, so the attacker will do:
Change the update URL to a malicious file.
Keep the version information intact to avoid causing suspicion.
Once the user runs Automatic Update, WinGUp will download the file to the temporary folder (%Temp%) and from there the malicious code will be run.
Once inside the system, the malicious code will begin the process of collecting information from users as well as collecting system information:
Current user.
The process is running.
Network configuration.
All of this data is Exfiltrated and sent out via HTTPs with legitimate command line tools like “curl”. Eventually the attackers will perform extensive intrusions. For example, for a business environment, with previously obtained information they will do:
Horizontal movement within the intranet.
Access important resources.
Deploy attacks on a larger scale.
Recommended
Update software promptly
Always use the latest version of Notepad++ (8.8.9 or later) to ensure vulnerabilities have been patched.
Only download software and updates from official sources (Notepad++ website or GitHub).
Avoid installing modifications, portables or repacks of unknown origin.
Do not disable security mechanisms
Do not turn off antivirus, Windows Defender or security warnings when installing/updating software.
Avoid using software with Administrator rights when not absolutely necessary.
Be careful with the network environment
Limit software updates when using public Wi-Fi or untrusted networks.
Prioritize using a local network or controlled Internet connection.
Avoid using VPN/proxies of unknown origin during the update process.
Watch for unusual signs
Pay attention if after the update appears:
Abnormal command line window
Strange file in folder %Temp%
The device is slow and has an abnormal network connection
When in doubt, disconnect from the Internet and run a full system scan.
Proactively update security information
Follow announcements from developers and reputable cybersecurity news sites.
Do not ignore security warnings, even with familiar software.
Conclude
The security issue in Notepad++'s update mechanism is a stark reminder that even the most familiar and trusted software can become an intrusion point if the security process is not adequately designed. When the update channel, which is considered absolutely safe, is exploited, the line between legitimate activity and attack becomes more blurred than ever.
Although Notepad++ responded quickly by patching the vulnerability and adding digital signature authentication, the incident still leaves important lessons about software supply chain security. A small vulnerability in the distribution stage can open up a large, silent but far-reaching attack chain, especially in corporate environments where this software is commonly used.
On the user side, timely updates, using official sources, and maintaining basic security habits are the first line of defense. For organizations, this incident highlights the importance of monitoring updaters, controlling network traffic, and adopting a “zero trust” mindset even with legitimate processes.
