What happened
CISA added CVE-2025-15556 to the Known Exploited Vulnerabilities catalog, signaling confirmed exploitation in the wild CISA KEV. The entry describes a “download of code without integrity check” flaw in Notepad++’s WinGUp updater that enables interception or redirection of update traffic to deliver and execute an attacker-controlled installer NVD entry. The weakness maps to CWE-494 (Download of Code Without Integrity Check) NVD CWE. CISA’s record lists a due date of 2026-03-05 for remediation and points agencies to apply vendor mitigations or discontinue use if none are available CISA KEV. The CVE is cataloged by MITRE under CVE-2025-15556 with cross-references to the same weakness and impact MITRE CVE.
Why it matters
Updater chains are high-value because they’re trusted to fetch and run new code; when integrity checks are missing, a network redirection or interception can convert the “update” into initial execution on endpoints NVD entry. Inclusion in the CISA KEV means the vulnerability is already being exploited and must be prioritized by federal agencies under Binding Operational Directive 22-01 processes CISA KEV. Successful exploitation here leads to arbitrary code execution with the privileges of the user, which is enough for persistence, data theft, or staging lateral movement in many environments NVD impact. Notepad++ is broadly deployed across developer and IT workstations; exploitation of its updater presents a low-friction path to run attacker-selected installers without requiring user privilege escalation in the first step NVD entry.
Technical detail
The affected component is the WinGUp updater used by Notepad++ NVD component. The core issue is a download of code without integrity check (CWE-494), which means the updater does not cryptographically verify the fetched payload before execution NVD CWE. According to the CVE description, an attacker who can intercept or redirect the updater’s network request can cause it to retrieve an attacker-controlled installer NVD description. Once retrieved, that installer is executed with the privileges of the invoking user, enabling arbitrary code execution on the host NVD impact. CISA’s KEV listing confirms real-world exploitation, which elevates the risk profile beyond a theoretical supply-chain vector to an active threat stream CISA KEV. MITRE’s record tracks this under CVE-2025-15556 and aligns the weakness classification with the lack of integrity verification in software update mechanisms MITRE CVE.
Attackers need only achieve traffic interception or redirection at the moment the updater checks for or downloads updates, after which execution of the malicious installer proceeds in the context of the user session NVD description. This class of flaw collapses the security boundary that should exist between retrieval and execution of updates, turning an integrity failure into a direct code execution path NVD CWE.
Defense
CISA directs organizations to apply vendor mitigations per instructions, and if mitigations are unavailable, discontinue use; federal agencies must remediate by 2026-03-05 per the KEV entry CISA KEV. Asset owners should immediately identify systems with Notepad++ and verify whether WinGUp-based updating is enabled, then prioritize remediation as a KEV-listed item CISA KEV. Until mitigations are applied, disable or restrict the updater’s network access to prevent the redirection/interception path that delivers attacker-controlled installers described in CVE-2025-15556 NVD entry. Where operationally feasible, defer updates to controlled maintenance windows and validate update operations after applying vendor guidance addressing this CWE-494 class NVD CWE. For incident response, treat any unexpected installer execution tied to Notepad++ updating as suspicious and investigate chain-of-custody for the payload, given the arbitrary code execution impact NVD impact.
Lyrie Verdict
This is a classic “trust the pipe, run the payload” failure in an updater. The attack expression is consistent and machine-detectable: Notepad++ update activity followed by retrieval and execution of an installer, where the installer source can be redirected or intercepted per CVE-2025-15556 NVD entry. Lyrie’s anti-rogue-AI defense stack flags this sequence at machine speed: outbound update request, deviation/redirection in the flow, and spawn of an installer process mapped to the Notepad++ updater lineage, all of which align with the described exploitation path NVD description. Because KEV addition confirms active abuse, we enforce autonomous containment policies the moment this pattern manifests, without waiting for human triage, to break the fetch-and-execute chain unique to CWE-494 in updater contexts CISA KEV.
Lyrie Verdict
The exploitation sequence (update traffic redirection → attacker-controlled installer execution) is deterministic enough to catch autonomously. Lyrie watches for the Notepad++ updater’s network check and flags deviations that match CVE-2025-15556’s redirection model, then blocks the spawned installer at machine speed before user-privileged execution can persist [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-15556) [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) [MITRE](https://cveawg.mitre.org/api/cve/CVE-2025-15556).