Date: 07/07/2025
Severity: High
Summary
Detects possible exploitation of CVE-2025-49144 — a local privilege escalation vulnerability affecting Notepad++ installers version 8.8.1 and earlier. The issue arises because the installer invokes regsvr32.exe without specifying its full path, allowing an attacker to elevate privileges by placing a malicious regsvr32.exe in the same directory as the legitimate Notepad++ installer. The vulnerability is triggered during the registration of the NppShell.dll component.
Indicators of Compromise (IOC) List
Processname | '\regsvr32.exe' 'C:\Windows\System32\regsvr32.exe' 'C:\Windows\SysWOW64\regsvr32.exe' |
Commandline | 'regsvr32 /s' '\contextMenu\NppShell.dll' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | ((resourcename = "Windows Security" AND eventtype = "4688") AND (processname like "regsvr32.exe") AND (commandline like "regsvr32 /s" AND commandline like "\contextMenu\NppShell.dll") AND (processname not like "C:\Windows\System32\regsvr32.exe" AND processname not like "C:\Windows\SysWOW64\regsvr32.exe")) |
Detection Query 2 : | ((technologygroup = "EDR") AND (processname like "regsvr32.exe") AND (commandline like "regsvr32 /s" AND commandline like "\contextMenu\NppShell.dll") AND (processname not like "C:\Windows\System32\regsvr32.exe" AND processname not like "C:\Windows\SysWOW64\regsvr32.exe")) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml