CVE-2026-25926: Notepad++ Unsafe Search Path Flaw Enables Silent Code Execution via Explorer Hijack

Aegiron 9 mins0

Notepad++ – Unsafe Search Path Leading to Arbitrary Code Execution

CVE ID: CVE-2026-25926
Affected Product: Notepad++ (Windows)
Vulnerability Type: Untrusted Search Path / Path Interception
CWE: CWE-426 (Untrusted Search Path)
CVSS v3.1 Score: 7.3 (High)
Severity: High
Attack Vector: Local
Attack Complexity: Low
Privileges Required: Low
User Interaction: Required
Impact: Arbitrary Code Execution (User Context), Possible Privilege Escalation (in chained scenarios)
Exploit Availability: No fully weaponized public exploit kit observed; technique is well known and reproducible
Patched Version: Notepad++ v8.9.2 and later

Overview

A security weakness was identified in Notepad++ where an external executable (explorer.exe) was launched without enforcing a fully qualified, trusted path. Under specific environmental conditions, Windows search order behavior could be abused to execute a malicious binary placed in a directory that is searched before the legitimate Windows system directory.

Because Windows resolves executable paths based on a defined search sequence, if a malicious explorer.exe is present in the current working directory or another prioritized location, it could be executed instead of the legitimate system binary. As a result, arbitrary code could be executed under the security context of the user running Notepad++.

The issue was corrected in Notepad++ version 8.9.2 by enforcing secure executable path handling.

Technical Root Cause

The vulnerability originates from improper handling of external process invocation.

When explorer.exe was called without specifying the absolute path (for example, not explicitly calling C:\Windows\explorer.exe), Windows followed its executable search order:

  1. Current working directory
  2. System32 directory
  3. Windows directory
  4. Directories listed in the PATH environment variable

If an attacker was able to place a malicious executable named explorer.exe in a directory that appeared earlier in the search order, the malicious binary would be executed.

This behavior falls under:

  • Path Interception by Search Order Hijacking
  • Binary Planting
  • Untrusted Search Path

The vulnerability is categorized under MITRE ATT&CK:

  • T1574 – Hijack Execution Flow
  • T1574.008 – Path Interception by Search Order Hijacking

Attack Scenarios

1. Local Directory Binary Planting

A malicious explorer.exe could be placed inside:

  • %USERPROFILE%\Downloads
  • A shared network drive
  • A temporary directory
  • Any directory where Notepad++ is launched

If Notepad++ was executed from that directory, Windows might resolve and execute the malicious binary instead of the legitimate system version.

Result: Arbitrary code execution as the logged-in user.

2. Shared Drive / Lateral Movement Scenario

In enterprise environments:

  • An attacker with limited access could drop a malicious executable onto a shared development folder.
  • If another user launched Notepad++ from that shared location, the malicious payload could execute.
  • This could lead to credential theft or lateral movement.

3. Chained Privilege Escalation

If Notepad++ was executed in a context with elevated privileges (for example, during installation or administrative usage), the malicious binary would inherit those privileges.

This could allow:

  • Installation of backdoors
  • Persistence mechanisms
  • Privilege escalation

Impact

If successfully exploited, the following could occur:

  • Full control over user session
  • Installation of malware
  • Credential harvesting
  • Data exfiltration
  • Persistence establishment
  • Lateral movement within network

The impact severity depends on user privileges at time of execution.

Proof of Concept (Educational)

No official exploit module has been publicly released specifically labeled for CVE-2026-25926. However, the technique can be demonstrated in a controlled lab environment.

Basic Educational Demonstration:

  1. Create a test directory.
  2. Place a renamed malicious executable as explorer.exe.
  3. Launch vulnerable Notepad++ version from that directory.
  4. Trigger functionality that calls Explorer.

If Windows resolves the malicious binary first, execution will occur.

Exploitation Indicators

During exploitation, the following behaviors may be observed:

  • explorer.exe running from non-standard path
  • explorer.exe spawned by notepad++.exe
  • Unsigned explorer.exe
  • Explorer binary located in user-writable directory
  • Suspicious child processes of explorer.exe

Detection Strategy

Log Sources Required

  • Windows Security Event Logs (4688 – Process Creation)
  • Sysmon (Event ID 1 – Process Create)
  • EDR Process Telemetry
  • File Creation Logs
  • Application Control Logs (AppLocker / WDAC)

Detection Rules and Queries

1. Windows Event Log (Event ID 4688)

Objective: Detect suspicious explorer.exe execution.

EventID=4688
NewProcessName LIKE "%explorer.exe"
AND ParentProcessName LIKE "%notepad++.exe"

2. Explorer Executed Outside System Directory

EventID=4688
NewProcessName LIKE "%explorer.exe"
AND NOT NewProcessName="C:\Windows\explorer.exe"

3. Sysmon Detection (Process Create – Event ID 1)

EventID=1
Image endswith "\explorer.exe"
AND ParentImage endswith "\notepad++.exe"

4. Explorer Running from User-Writable Path

EventID=1
Image endswith "\explorer.exe"
AND (
    Image contains "\Users\"
    OR Image contains "\Downloads\"
    OR Image contains "\Temp\"
)

5. Unsigned Explorer Detection (PowerShell Validation)

Get-AuthenticodeSignature "C:\SuspiciousPath\explorer.exe"

If signature is not Microsoft Windows Publisher, further investigation is required.

6. File Creation Monitoring

Monitor for creation of:

Filename: explorer.exe
Path: %USERPROFILE%\*
Path: %TEMP%\*
Path: Network Shares

Threat Hunting Guidance

Investigations should focus on:

  • Explorer instances not running from C:\Windows\
  • Explorer processes spawned by development tools
  • Recently created executables named explorer.exe
  • Hash mismatches compared to known-good Windows explorer hash
  • Explorer launching suspicious child processes (cmd.exe, powershell.exe, rundll32.exe)

Mitigation

Immediate

Defensive Controls

  • Enforce application allowlisting (WDAC / AppLocker)
  • Block execution from user-writable directories
  • Enable command-line logging for process creation
  • Enforce digital signature validation
  • Restrict execution from network shares

Hardening Recommendations

  • Configure WDAC policies to restrict execution outside C:\Windows\ and C:\Program Files\
  • Disable legacy PATH directory abuse
  • Implement EDR alerting for path interception behaviors
  • Conduct regular integrity monitoring of Windows system binaries

Incident Response Actions

If exploitation is suspected:

  1. Isolate affected system.
  2. Collect memory image.
  3. Capture full process tree.
  4. Retrieve malicious binary.
  5. Compute file hash.
  6. Review lateral movement indicators.
  7. Audit credential usage after compromise timestamp.

Risk Assessment Summary

While exploitation requires local access and user interaction, the technique itself is simple and reliable under the right conditions. In enterprise environments where shared directories are common, the risk becomes significantly higher.

The vulnerability does not require advanced exploitation skill. It relies on predictable Windows behavior.

Systems running older Notepad++ versions should be considered at risk until patched.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.