PoC Released for Windows Notepad Vulnerability that Enables Malicious Command Execution
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Microsoft has patched a high-severity remote code execution (RCE) vulnerability in the modern Windows Notepad application, tracked as CVE-2026-20841<\/a>, as part of its February 2026 Patch Tuesday release cycle<\/a>.<\/p>\n The flaw, rooted in command injection, was originally discovered by Cristian Papa and Alasdair Gorniak of Delta Obscura and subsequently analyzed in depth by Nikolai Skliarenko and Yazhi Wang of the TrendAI Research team.<\/p>\n Successful exploitation allows an attacker to execute arbitrary commands in the security context of the victim\u2019s account, simply by tricking the user into opening a specially crafted Markdown file and clicking a malicious hyperlink.<\/p>\n The modern Windows Notepad distributed via the Microsoft Store and distinct from the legacy The vulnerable function, That filtering merely strips leading and trailing backslash and forward-slash characters and fails to block malicious protocol URIs such as Because According to the Zero Day Initiative write-up<\/a>, exploiting this vulnerability involves an attacker delivering a weaponized file to the victim through email, a download link, or social engineering tactics.<\/p>\n The attacker must then persuade the victim to open the file in Notepad and press Ctrl + click on the embedded malicious link.<\/p>\n Although .md Files are not associated with Notepad by default. Users who manually open them trigger Markdown rendering, making the vulnerability exploitable. A public proof-of-concept has already been posted on GitHub<\/a>.<\/p>\n The vulnerability affects Notepad versions 11.2508 and earlier; the fix is delivered via the Microsoft Store in build 11.2510 and later. Legacy Microsoft lists no available workarounds and designates user interaction as a prerequisite to exploitation. Organizations should ensure that automatic<\/p>\n Microsoft Store updates are enabled and enforce version compliance across managed endpoints to confirm full remediation.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post PoC Released for Windows Notepad Vulnerability that Enables Malicious Command Execution<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nNotepad.exe<\/code> bundled with Windows \u2014 supports Markdown rendering for files with the .md<\/code> extension. When a Markdown file is opened, Notepad tokenizes its contents and renders links interactively.<\/p>\nsub_140170F60()<\/code>, handles click events on these links and passes the link value to the Windows API call ShellExecuteExW()<\/code> after applying only minimal filtering.<\/p>\nfile:\/\/<\/code> and ms-appinstaller:\/\/<\/code>, which can be leveraged to load and execute remote or local attacker-controlled files without triggering standard Windows security warnings.<\/p>\nShellExecuteExW()<\/code> invokes configured system protocol handlers, the attack surface may extend to additional protocols depending on the target system\u2019s configuration.<\/p>\nAttack Vector and Patch Details<\/strong><\/h2>\n
Notepad.exe<\/code> is not impacted.<\/p>\n