Notepad CVE 2026 48778 CVE 2026 48800 Detection
Query
// Notepad++ CVE-2026-48778 & CVE-2026-48800 Detection
// CVE-2026-48778: commandLineInterpreter hijack via config.xml
// CVE-2026-48800: UserDefinedCommands hijack via shortcuts.xml
let ExcludedCLI = dynamic([@"C:\myscript.ps1"]);
let VulnDevices = DeviceTvmSoftwareVulnerabilities
| where OSPlatform startswith "Windows"
| where SoftwareName =~ "notepad++"
| where parse_version(SoftwareVersion) < parse_version("8.9.6.1")
| distinct DeviceName;
let XmlConfigWrite = DeviceFileEvents
| where DeviceName in (VulnDevices)
| where Timestamp > ago(7d)
| where ActionType in ("FileCreated", "FileModified")
| where FileName in~ ("config.xml", "shortcuts.xml")
| where FolderPath has @"\AppData\Roaming\Notepad++"
| where InitiatingProcessFileName !in~ (
"notepad++.exe",
"explorer.exe",
"MsMpEng.exe",
"svchost.exe"
)
// Exclude FHNW config management
| where not(
InitiatingProcessFileName =~ "powershell.exe"
and InitiatingProcessCommandLine has_any (ExcludedCLI)
)
| extend
DetectionType = "XML_Config_Write",
CVE = iff(FileName =~ "config.xml", "CVE-2026-48778", "CVE-2026-48800");
// Trigger: user clicks "Open Containing Folder -> cmd"
let SuspiciousShellExecute = DeviceProcessEvents
| where DeviceName in (VulnDevices)
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "notepad++.exe"
// General process whitelist excluding shells (handled below)
| where FileName !in~ (
"notepad++.exe", // multi-instance & UAC-save
"explorer.exe", // open containing folder
"GUP.exe", // built-in updater
"chrome.exe", // URL handler
"msedge.exe", // URL handler
"firefox.exe", // URL handler
"msedgewebview2.exe" // MarkdownPanel plugin
)
// Allow cmd/powershell/bash only from System32 or SysWOW64
| where not(
FileName in~ ("cmd.exe", "powershell.exe", "bash.exe")
and FolderPath has_any (
@"C:\Windows\System32",
@"C:\Windows\SysWOW64"
)
)
// Allow GUP.exe from official updater path (fallback)
| where not(
FileName =~ "GUP.exe"
and FolderPath has_any (
@"C:\Program Files\Notepad++\updater",
@"C:\Program Files (x86)\Notepad++\updater"
)
)
| extend
DetectionType = "ShellExecute_Hijack",
CVE = "CVE-2026-48778";
// Correlation: XML write followed by suspicious spawn within 24h
let RecentXmlWrites = DeviceFileEvents
| where DeviceName in (VulnDevices)
| where Timestamp > ago(7d)
| where ActionType in ("FileCreated", "FileModified")
| where FileName in~ ("config.xml", "shortcuts.xml")
| where FolderPath has @"\AppData\Roaming\Notepad++"
| where InitiatingProcessFileName !in~ (
"notepad++.exe",
"explorer.exe",
"MsMpEng.exe"
)
| project
DeviceName,
AccountName = InitiatingProcessAccountUpn,
XmlWriteTime = Timestamp,
XmlFile = FileName,
WritingProcess = InitiatingProcessFileName,
WritingProcessCmdLine = InitiatingProcessCommandLine;
let PostWriteExecution = DeviceProcessEvents
| where DeviceName in (VulnDevices)
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "notepad++.exe"
| where FileName !in~ (
"notepad++.exe",
"GUP.exe",
"explorer.exe",
"msedgewebview2.exe",
"chrome.exe",
"msedge.exe",
"firefox.exe"
)
| project
DeviceName,
AccountName = InitiatingProcessAccountUpn,
SpawnTime = Timestamp,
FileName = FileName,
FolderPath = FolderPath,
ProcessCommandLine = ProcessCommandLine;
let XmlWriteCorrelation = PostWriteExecution
| join kind=inner RecentXmlWrites on DeviceName, AccountName
| where SpawnTime > XmlWriteTime
| where SpawnTime < XmlWriteTime + 24h
| project
Timestamp = SpawnTime,
DeviceName,
AccountName,
FileName,
FolderPath,
ProcessCommandLine,
InitiatingProcessFileName = "notepad++.exe",
InitiatingProcessCommandLine = strcat("Triggered after XML modification in: ", XmlFile),
DetectionType = "XML_Write_Then_Spawn_Correlation",
CVE = iff(XmlFile =~ "config.xml", "CVE-2026-48778", "CVE-2026-48800");
union
XmlConfigWrite,
SuspiciousShellExecute,
XmlWriteCorrelation
'''About this query
Explanation
This KQL query is designed to detect potential security threats related to two specific vulnerabilities (CVE-2026-48778 and CVE-2026-48800) in Notepad++. Here's a simplified breakdown of what the query does:
-
Identify Vulnerable Devices: It first identifies Windows devices that have an outdated version of Notepad++ (older than version 8.9.6.1), which are potentially vulnerable to these exploits.
-
Monitor Configuration File Changes: The query looks for any changes (creation or modification) to Notepad++ configuration files (
config.xmlandshortcuts.xml) within the last 7 days. It flags these changes as suspicious if they are made by processes other than Notepad++, Windows Explorer, or antivirus software. -
Detect Suspicious Process Executions: It checks for unusual processes being started by Notepad++. Specifically, it flags shell processes (like
cmd.exeorpowershell.exe) that are not running from standard system directories, as well as any other unexpected processes. -
Correlate Events: The query correlates the above events by checking if a suspicious process execution occurs within 24 hours after a configuration file change. This helps identify if a configuration change is followed by potentially malicious activity.
-
Output: The results are combined to provide a comprehensive view of potential exploitation attempts, categorized by the type of detection (configuration file change, suspicious process execution, or correlated events).
Overall, this query helps security teams detect and respond to potential exploitation attempts of specific vulnerabilities in Notepad++ by monitoring configuration changes and process activities.
