Detect Notepad++ Download of Code Without Integrity Check (CVE-2025-15556) in Google Chronicle
CVE-2025-15556 is a CWE-494 (Download of Code Without Integrity Check) vulnerability in Notepad++ that has been added to CISA's Known Exploited Vulnerabilities catalog. The vulnerability allows an attacker to deliver malicious code through Notepad++'s update or plugin mechanism without cryptographic integrity verification, enabling arbitrary code execution in the context of the user running Notepad++. This is actively exploited in the wild and should be treated as high-priority for endpoint detection and response.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
YARA-L Detection Query
rule cve_2025_15556_notepadplusplus_integrity_bypass {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2025-15556: Notepad++ download of code without integrity check"
severity = "HIGH"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-15556"
yara_version = "YL2.0"
rule_version = "1.0"
events:
(
// Notepad++ spawning unexpected child processes
$e1.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e1.principal.process.file.full_path, `(?i)notepad\+\+\.exe`)
and not re.regex($e1.target.process.file.full_path, `(?i)(notepad\+\+|GUP|conhost|cmd)\.exe`)
)
or
(
// Notepad++ making network connections to non-official hosts
$e1.metadata.event_type = "NETWORK_CONNECTION"
and re.regex($e1.principal.process.file.full_path, `(?i)notepad\+\+\.exe`)
and not re.regex($e1.target.hostname, `(?i)(notepad-plus-plus\.org|localhost|127\.0\.0\.1)`)
)
or
(
// Notepad++ writing executables to plugin/updater directories
$e1.metadata.event_type = "FILE_CREATION"
and re.regex($e1.principal.process.file.full_path, `(?i)notepad\+\+\.exe`)
and re.regex($e1.target.file.full_path, `(?i)(\\plugins\\|\\updater\\)`)
and re.regex($e1.target.file.full_path, `(?i)\.(dll|exe)$`)
)
condition:
$e1
}Chronicle YARA-L 2.0 rule detecting Notepad++ CVE-2025-15556 exploitation patterns: unauthorized child process spawning, network connections to non-official hosts, and executable file writes to plugin or updater directories.
Data Sources
Required Tables
False Positives & Tuning
- Notepad++ plugin manager downloading plugins from community repositories with non-official domains
- Enterprise software management tools launching processes in Notepad++ context
- GUP.exe update connections to CDN endpoints not matching the exact notepad-plus-plus.org pattern
- Developer extensions or automation scripts integrating with Notepad++
Other platforms for CVE-2025-15556
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Notepad++ Downloading Unsigned DLL via HTTP
Expected signal: Sysmon Event ID 3 (network connection from notepad++.exe to non-official IP), Sysmon Event ID 11 (file creation in plugins directory with .dll extension), EDR network connection alert
- Test 2Notepad++ Plugin Directory DLL Drop
Expected signal: Sysmon Event ID 11 for file creation in Notepad++ plugins directory with .dll extension; EDR file creation alert
- Test 3Notepad++ Spawning Unexpected Child Process
Expected signal: Sysmon Event ID 1 showing cmd.exe with Notepad++ as parent process; EDR process lineage alert; command line captured in telemetry
Unlock Pro Content
Get the full detection package for CVE-2025-15556 including response playbook, investigation guide, and atomic red team tests.