Nssm224 Privilege Escalation Updated File

icacls "C:\path\to\nssm.exe"

The security community has recently updated and tracked two specific CVEs that expose NSSM 2.24 to privilege escalation.

If a low-privileged user has write access to the root of C:\ , they can place a malicious executable named Program.exe there. The next time the service boots, Windows executes Program.exe instead of navigating to the deeper NSSM directory. Step-by-Step Attack Simulation

is abused isn't through a bug in the code itself, but through improper file permissions during installation.

While the is a well-known, older vulnerability, it remains a common misconfiguration in modern environments. By ensuring that all service paths are enclosed in quotes and enforcing strict file permissions on binary directories, administrators can completely negate this attack vector. nssm224 privilege escalation updated

In cybersecurity and red teaming, the vector remains one of the most frequently targeted pathways for standard users to achieve NT AUTHORITY\SYSTEM privileges. This happens when weak permissions overlap with how Windows services operate.

The Non-Sucking Service Manager (NSSM) has long been a staple tool for Windows system administrators, celebrated for its ability to reliably run any application as a Windows service. However, recent security disclosures have raised significant alarms regarding its use in enterprise environments. As of 2026, two major vulnerabilities— and CVE-2025-41686 —have been linked to NSSM, specifically concerning its version 2.24 deployment across various integrated software packages.

For years, system administrators have relied on NSSM (Non-Sucking Service Manager) to run unstable or legacy batch scripts as robust Windows services. Its ability to monitor process health, restart crashed executables, and handle graceful shutdowns made it indispensable.

In environments using NSSM 2.24, attackers typically look for the following misconfigurations to escalate to SYSTEM privileges: icacls "C:\path\to\nssm

The "NSSM-224" privilege escalation pattern typically stems from one of three common Windows configuration flaws: 1. Insecure File Permissions (Weak Binaries)

To secure systems running NSSM 2.24, follow these updated best practices:

Always ensure the binary path in your service configuration is wrapped in quotation marks if it contains spaces. You can verify and fix unquoted service paths via PowerShell: powershell

– The vulnerable service (e.g., Apache CouchDB, IBM Robotic Process Automation, DaUM) either stops unexpectedly, is stopped by the attacker, or the system reboots. When the service attempts to start again, Windows launches the malicious file with the service’s elevated privileges – typically SYSTEM or Administrator rights. Step-by-Step Attack Simulation is abused isn't through a

This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.

wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Use code with caution.

Privilege escalation via NSSM remains highly effective because it exploits operational oversight rather than deep flaws within the NSSM code itself. By securing directory permissions, properly quoting paths, restricting registry access, and employing continuous monitoring, system administrators can effectively neutralize the threat of NSSM-based local privilege escalation.