CVE-2025-15556 IBM QRadar · QRadar

Detect Notepad++ Download of Code Without Integrity Check (CVE-2025-15556) in IBM QRadar

CVE-2025-15556 is a CWE-494 (Download of Code Without Integrity Check) vulnerability in Notepad++ that has been added to CISA's Known Exploited Vulnerabilities catalog. The vulnerability allows an attacker to deliver malicious code through Notepad++'s update or plugin mechanism without cryptographic integrity verification, enabling arbitrary code execution in the context of the user running Notepad++. This is actively exploited in the wild and should be treated as high-priority for endpoint detection and response.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS host,
  username,
  sourceip,
  destinationip,
  destinationhostname,
  "Application",
  QIDNAME(qid) AS event_name,
  payload
FROM events
WHERE
  LOWER("Application") LIKE '%notepad++%'
  AND (
    (LOWER(category) = 'network connection' AND destinationhostname NOT LIKE '%notepad-plus-plus.org%')
    OR (LOWER(category) = 'process creation' AND "parentprocessname" LIKE '%notepad++.exe%' AND LOWER("Application") NOT IN ('notepad++.exe', 'gup.exe', 'conhost.exe'))
    OR (LOWER(category) = 'file created' AND ("targetfilepath" LIKE '%\plugins\%' OR "targetfilepath" LIKE '%\updater\%') AND ("targetfilepath" LIKE '%.dll' OR "targetfilepath" LIKE '%.exe'))
  )
  AND LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
LAST 24 HOURS
high severity medium confidence

QRadar AQL query detecting Notepad++ making unauthorized network connections, spawning unexpected child processes, or writing executable files to plugin/updater directories as indicators of CVE-2025-15556 exploitation.

Data Sources

QRadar SIEMWindows Event LogsSysmon

Required Tables

events

False Positives & Tuning

  • Legitimate plugin manager downloading approved plugins from known-good repositories
  • Authorized Notepad++ updates through enterprise software management
  • IT helpdesk manual plugin installations on user workstations
  • Security scanning tools that invoke Notepad++ during file analysis

Other platforms for CVE-2025-15556

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Notepad++ Downloading Unsigned DLL via HTTP

    Expected signal: Sysmon Event ID 3 (network connection from notepad++.exe to non-official IP), Sysmon Event ID 11 (file creation in plugins directory with .dll extension), EDR network connection alert

  2. Test 2Notepad++ Plugin Directory DLL Drop

    Expected signal: Sysmon Event ID 11 for file creation in Notepad++ plugins directory with .dll extension; EDR file creation alert

  3. Test 3Notepad++ Spawning Unexpected Child Process

    Expected signal: Sysmon Event ID 1 showing cmd.exe with Notepad++ as parent process; EDR process lineage alert; command line captured in telemetry

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-15556 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1195Supply Chain CompromiseT1105Ingress Tool TransferT1059Command and Scripting Interpreter

Same Tactic: Initial Access

Popular Detections