Detect Notepad++ Download of Code Without Integrity Check (CVE-2025-15556) in Sumo Logic CSE
CVE-2025-15556 is a CWE-494 (Download of Code Without Integrity Check) vulnerability in Notepad++ that has been added to CISA's Known Exploited Vulnerabilities catalog. The vulnerability allows an attacker to deliver malicious code through Notepad++'s update or plugin mechanism without cryptographic integrity verification, enabling arbitrary code execution in the context of the user running Notepad++. This is actively exploited in the wild and should be treated as high-priority for endpoint detection and response.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
Sumo Detection Query
_sourceCategory=endpoint/windows/sysmon OR _sourceCategory=endpoint/crowdstrike
| json field=_raw "EventID" as event_id nodrop
| json field=_raw "Image" as image nodrop
| json field=_raw "ParentImage" as parent_image nodrop
| json field=_raw "DestinationHostname" as dest_host nodrop
| json field=_raw "TargetFilename" as target_file nodrop
| where (toLowerCase(image) contains "notepad++.exe" or toLowerCase(parent_image) contains "notepad++.exe")
| eval suspicious_network = if(event_id="3" and toLowerCase(image) contains "notepad++.exe" and !matches(dest_host, ".*notepad-plus-plus\\.org.*"), 1, 0)
| eval suspicious_child = if(event_id="1" and toLowerCase(parent_image) contains "notepad++.exe" and !matches(toLowerCase(image), ".*(notepad\\+\\+|gup|conhost).*"), 1, 0)
| eval suspicious_file = if(event_id="11" and toLowerCase(image) contains "notepad++.exe" and (matches(target_file, "(?i).*\\\\plugins\\\\.*") or matches(target_file, "(?i).*\\\\updater\\\\.*")) and (matches(target_file, "(?i).*\\.(dll|exe)$")), 1, 0)
| where suspicious_network=1 or suspicious_child=1 or suspicious_file=1
| fields _sourceHost, _sourceCategory, event_id, image, parent_image, dest_host, target_file, suspicious_network, suspicious_child, suspicious_file
| sort by _messagetime descSumo Logic query identifying Notepad++ suspicious behaviors including unauthorized outbound connections, unexpected child process execution, and DLL/EXE writes to sensitive directories consistent with CVE-2025-15556.
Data Sources
Required Tables
False Positives & Tuning
- Official Notepad++ plugin manager connecting to approved plugin repositories
- Enterprise patch management systems performing Notepad++ updates
- Developer toolchains that extend Notepad++ with custom plugins
- Security product integrations that hook into Notepad++ process space
Other platforms for CVE-2025-15556
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Notepad++ Downloading Unsigned DLL via HTTP
Expected signal: Sysmon Event ID 3 (network connection from notepad++.exe to non-official IP), Sysmon Event ID 11 (file creation in plugins directory with .dll extension), EDR network connection alert
- Test 2Notepad++ Plugin Directory DLL Drop
Expected signal: Sysmon Event ID 11 for file creation in Notepad++ plugins directory with .dll extension; EDR file creation alert
- Test 3Notepad++ Spawning Unexpected Child Process
Expected signal: Sysmon Event ID 1 showing cmd.exe with Notepad++ as parent process; EDR process lineage alert; command line captured in telemetry
Unlock Pro Content
Get the full detection package for CVE-2025-15556 including response playbook, investigation guide, and atomic red team tests.