A significant security vulnerability has been identified within the installer for Notepad++, tracked as CVE-2025-49144. This flaw presents a critical risk during the software installation process.
The vulnerability is described as a race condition. This means that under specific, carefully timed circumstances during installation, an attacker with local access to the system could potentially exploit this timing window. The successful exploitation of this race condition could lead to unauthorized file operations with elevated privileges.
The most severe outcome of this vulnerability is the potential for an attacker to achieve SYSTEM access on the affected machine. Gaining SYSTEM access grants the highest level of privileges on a Windows operating system, allowing an attacker to execute arbitrary code, modify or delete data, and create new accounts with full administrative rights, effectively taking complete control of the compromised system.
It is important to note that this flaw affects the installer itself, not the Notepad++ application once it is already installed and running normally. The window of opportunity for exploitation exists during the execution of the setup program. Users are strongly advised to be aware of this vulnerability and follow recommended security practices when installing software.
Source: https://www.helpnetsecurity.com/2025/06/25/flaw-in-notepad-installer-could-grant-attackers-system-access-cve-2025-49144/
