Nssm-2.24 Privilege Escalation [upd] May 2026
(Non-Sucking Service Manager) does not have a single, direct CVE for a "built-in" privilege escalation flaw, it is
frequently used by attackers and identified in vulnerabilities where its misconfiguration improper installation
by third-party software allows for local privilege escalation (LPE) Phoenix Contact
The most common ways privilege escalation occurs involving NSSM 2.24 include: 1. Insecure File Permissions
This is the most frequent exploitation path. Many installers deploy NSSM 2.24 with weak Access Control Lists (ACLs), such as granting the "Everyone" group "Full Control" or "Modify" rights to the folder where National Institute of Standards and Technology (.gov) The Attack : A low-privileged user replaces the legitimate
or the binary it launches with a malicious executable. When the service restarts (or the system reboots), the malicious code runs with privileges. Notable Examples IBM Robotic Process Automation
: Vulnerable to LPE because standard users could substitute the service binary. Apache CouchDB
: Vulnerable because files inherited parent directory permissions, allowing non-privileged users to swap the service launcher. Wowza Streaming Engine : Allowed authenticated users to replace nssm_x64.exe to gain LocalSystem rights. National Institute of Standards and Technology (.gov) 2. Unquoted Service Path Vulnerability If NSSM is installed in a path containing spaces (e.g., C:\Program Files\App\nssm.exe ) and the service's nssm-2.24 privilege escalation
registry entry is not enclosed in double quotes, it is vulnerable to "Unquoted Service Path" exploitation. The Attack
: Windows will attempt to find and execute files along the path in order. For example, it might try to run C:\Program.exe
before reaching the intended file. An attacker can place a malicious Program.exe at the root of the drive to hijack the service execution. NSSM - the Non-Sucking Service Manager 3. Exploitation in Ransomware Campaigns
NSSM (Non-Sucking Service Manager) version 2.24 is susceptible to a privilege escalation vulnerability specifically related to its service configuration and the lack of quote marks in service binary paths.
While "Write" is not a specific named feature within the tool itself, the vulnerability typically involves an attacker gaining write access to a directory where a service is installed or leveraging weak permissions on the NSSM executable itself to redirect service execution to a malicious payload. Privilege Escalation Mechanism
The primary method for escalating privileges via NSSM 2.24 involves unquoted service paths. If an administrator installs a service using NSSM and the path to the executable contains spaces but no quotation marks (e.g., C:\Program Files\Service Name\nssm.exe), Windows will search for and attempt to execute files in the following order: C:\Program.exe C:\Program Files\Service.exe C:\Program Files\Service Name\nssm.exe
If a low-privileged user has write permissions to C:\, they can place a malicious Program.exe there. When the system restarts or the service is triggered, it will run the malicious file with SYSTEM privileges. Vulnerability Breakdown (Non-Sucking Service Manager) does not have a single,
Arbitrary File Write/Overwrite: Attackers look for instances where NSSM has been configured with weak file permissions. If a user can overwrite nssm.exe or its configuration in the Registry (located at HKLM\System\CurrentControlSet\Services\), they can point the service to a malicious script.
Registry Modification: NSSM stores its service parameters in the Registry. If the permissions on these Registry keys are too loose, a user can modify the AppParameters or Application string to execute a different command when the service starts.
Version Specifics: Version 2.24 is the most widely cited version in security advisories because it was the stable release for a long period during which these configuration-based exploits were popularized in penetration testing frameworks. Mitigation Strategies
To prevent privilege escalation when using NSSM, you should follow these security best practices:
Quote Service Paths: Always ensure the path to nssm.exe and the application it manages are enclosed in double quotes within the service configuration.
Restrict Permissions: Ensure that only administrators have "Write" or "Modify" permissions on the directory where nssm.exe is located and the Registry keys associated with the service.
Update to Latest: While NSSM development is infrequent, ensure you are using the most stable version and auditing the service creation process for common Windows misconfigurations. Title: From Service Manager to SYSTEM: Abusing NSSM 2
Title: From Service Manager to SYSTEM: Abusing NSSM 2.24 for Privilege Escalation
Date: [Insert Date] Tags: #Windows #PrivilegeEscalation #NSSM #InfoSec
What Makes NSSM 2.24 Different?
Modern service managers include safeguards against arbitrary binary replacement and insecure service configuration modification. NSSM 2.24, however, was designed for convenience—not security. Its core features that enable privilege escalation include:
- Insecure Default Permissions on Service Binaries – The service executables pointed to by NSSM often reside in user-writable locations.
- Weak ACLs on Service Configuration – NSSM stores its configuration in the registry under
HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\Parameters, but older versions fail to enforce strict permissions. - No Binary Path Validation – NSSM does not verify the integrity or ownership of the target executable when starting or restarting a service.
Conclusion
NSSM 2.24 privilege escalation is not a classic buffer overflow or race condition—it is a design weakness amplified by common misconfigurations. Attackers love it because it turns a low-privilege foothold into full SYSTEM access with minimal noise.
The key takeaway: Audit your services today. Run accesschk.exe -c * | findstr "NSSM" across your Windows fleet. If you find NSSM 2.24, assume it is a potential backdoor. Harden it, replace it, or risk becoming the next case study in a privilege escalation report.
Conclusion
NSSM is convenient but dangerous if misconfigured. Always assume that a service running as SYSTEM with writable configuration is a local privilege escalation vector. Audit your endpoints, and don’t let convenience override security.
Disclaimer: This post is for educational and defensive purposes only. Unauthorized access to systems is illegal.