SEV

This week a reader sent me a story about a CVE in Notepad++, and something isn’t quite right. The story is a DLL hijack, a technique where a legitimate program’s Dynamic Link Library (DLL) is replaced with a malicious DLL. This can be used for very stealthy persistence as well as escalation of privilege. This one was assigned CVE-2025-56383, and given a CVSS score of 8.4.

The problem? Notepad++ doesn’t run as a privileged user, and the install defaults to the right permissions for the folder where the “vulnerable” DLL is installed. Or as pointed out in a GitHub issue on the Proof of Concept (PoC) code, why not just hijack the notepad++ executable?

This is key when evaluating a vulnerability write-up. What exactly is the write-up claiming? And what security boundary is actually being broken? The Common Weakness Enumeration (CWE) list can be useful here. This vulnerability is classified as CWE-427, an uncontrolled search path element — which isn’t actually what the vulnerability claims, and that’s another clue that something is amiss here. In reality this “vulnerability” applies to every application that uses a DLL: a CVSS 0.

Continue reading “This Week In Security: CVSS 0, Chwoot, And Not In The Threat Model” →

Hackaday

1 Articles

This Week In Security: CVSS 0, Chwoot, And Not In The Threat Model

Search

Never miss a hack

If you missed it

On 3D Scanners And Giving Kinects A New Purpose In Life

The Hottest Spark Plugs Were Actually Radioactive

A Cut Above: Surgery In Space, Now And In The Future

Two Decades Of Hackaday In Words

Spy Tech: The NRO And Apollo 11

Our Columns

This Week In Security: CVSS 0, Chwoot, And Not In The Threat Model

How Hydraulic Ram Pumps Push Water Uphill With No External Power Input

FLOSS Weekly Episode 849: Veilid: Be A Brick

Lost Techniques: Bond-out CPUs And In Circuit Emulation

2025 Hackaday Speakers, Round One! And Spoilers

Search

Never miss a hack

Subscribe

If you missed it

Our Columns