CVE-2025-15556 Elastic Security · Elastic

Detect Notepad++ Download of Code Without Integrity Check (CVE-2025-15556) in Elastic Security

CVE-2025-15556 is a CWE-494 (Download of Code Without Integrity Check) vulnerability in Notepad++ that has been added to CISA's Known Exploited Vulnerabilities catalog. The vulnerability allows an attacker to deliver malicious code through Notepad++'s update or plugin mechanism without cryptographic integrity verification, enabling arbitrary code execution in the context of the user running Notepad++. This is actively exploited in the wild and should be treated as high-priority for endpoint detection and response.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [process where process.name : "notepad++.exe" and event.type == "start"]
  [any where
    (
      /* Suspicious network connection from notepad++ */
      (event.category == "network" and process.name : "notepad++.exe" and
       not destination.domain : ("*.notepad-plus-plus.org", "notepad-plus-plus.org"))
      or
      /* Child process spawned by notepad++ */
      (event.category == "process" and process.parent.name : "notepad++.exe" and
       not process.name : ("notepad++.exe", "GUP.exe", "conhost.exe"))
      or
      /* File write to plugin or updater directory */
      (event.category == "file" and process.name : "notepad++.exe" and
       file.path : ("*\\plugins\\*", "*\\updater\\*") and
       file.extension : ("dll", "exe"))
    )
  ]
high severity medium confidence

EQL sequence detection correlating Notepad++ process start with subsequent suspicious network connections, child process spawning, or plugin/updater directory file writes indicative of CVE-2025-15556 exploitation.

Data Sources

Elastic Endpoint SecurityElastic Agent

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.network-*logs-endpoint.events.file-*

False Positives & Tuning

  • Legitimate plugin manager operations downloading plugins from official sources
  • Auto-update mechanism (GUP.exe) performing standard version updates
  • Administrative scripting that invokes Notepad++ as a component
  • AV/EDR software intercepting Notepad++ file operations

Other platforms for CVE-2025-15556

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Notepad++ Downloading Unsigned DLL via HTTP

    Expected signal: Sysmon Event ID 3 (network connection from notepad++.exe to non-official IP), Sysmon Event ID 11 (file creation in plugins directory with .dll extension), EDR network connection alert

  2. Test 2Notepad++ Plugin Directory DLL Drop

    Expected signal: Sysmon Event ID 11 for file creation in Notepad++ plugins directory with .dll extension; EDR file creation alert

  3. Test 3Notepad++ Spawning Unexpected Child Process

    Expected signal: Sysmon Event ID 1 showing cmd.exe with Notepad++ as parent process; EDR process lineage alert; command line captured in telemetry

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-15556 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1195Supply Chain CompromiseT1105Ingress Tool TransferT1059Command and Scripting Interpreter

Same Tactic: Initial Access

Popular Detections