Potential Notepad++ CVE-2025-49144 Exploitation

    Date: 07/07/2025

    Severity: High

    Summary

    Detects possible exploitation of CVE-2025-49144 — a local privilege escalation vulnerability affecting Notepad++ installers version 8.8.1 and earlier. The issue arises because the installer invokes regsvr32.exe without specifying its full path, allowing an attacker to elevate privileges by placing a malicious regsvr32.exe in the same directory as the legitimate Notepad++ installer. The vulnerability is triggered during the registration of the NppShell.dll component.

    Indicators of Compromise (IOC) List

    Processname

    '\regsvr32.exe'

    'C:\Windows\System32\regsvr32.exe'

    'C:\Windows\SysWOW64\regsvr32.exe'

    Commandline

    'regsvr32 /s'

    '\contextMenu\NppShell.dll'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    ((resourcename = "Windows Security"  AND eventtype = "4688") AND (processname like "regsvr32.exe") AND (commandline like "regsvr32 /s" AND commandline like "\contextMenu\NppShell.dll") AND (processname not like "C:\Windows\System32\regsvr32.exe" AND processname not like "C:\Windows\SysWOW64\regsvr32.exe"))

    Detection Query 2 : 

    ((technologygroup = "EDR") AND (processname like "regsvr32.exe") AND (commandline like "regsvr32 /s" AND commandline like "\contextMenu\NppShell.dll") AND (processname not like "C:\Windows\System32\regsvr32.exe" AND processname not like "C:\Windows\SysWOW64\regsvr32.exe"))

    Reference:    

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml


    Tags

    SigmaVulnerabilityCVE-2025Exploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags