Potential Notepad++ CVE-2025-49144 Exploitation

Rule Info

Name
Potential Notepad++ CVE-2025-49144 Exploitation
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path. This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer. The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.
Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49144
Date
2025-06-26 00:00:00
Modified
None
Id
933f0bb5-0681-4fe7-8a17-4e6cccbaac44
Tags
attack.persistence attack.privilege-escalation attack.defense-evasion attack.t1574.008 cve.2025-49144 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=933f0bb5-0681-4fe7-8a17-4e6cccbaac44

Rule History

Author
Title
Date
Commit
phantinuss
chore: ci: bump validator version (#5722)
2025-10-23
c8075cab6
Swachchhanda Shrawan Poudel
Merge PR #5500 from @swachchhanda000 - Potential Notepad++ CVE-2025-49144 Exploitation
2025-07-01
2610f580d
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022