Nssm224 Privilege Escalation Updated |verified| -
The Non-Sucking Service Manager ( ) version 2.24 has been identified as a vector for local privilege escalation (LPE)
in several recent security advisories, typically due to improper file system permissions on the binary within third-party installers. Phoenix Contact The "Create a Feature" Exploit Mechanism
In the context of privilege escalation, "creating a feature" refers to an attacker abusing the core functionality of NSSM—its ability to install and manage Windows services—to execute malicious code with higher-level permissions (e.g., NT AUTHORITY\SYSTEM Key exploit methods include: Binary Replacement (Service Sideloading): If the directory containing
or the service executable it wraps has weak permissions (e.g., "Everyone" has "Full Control"), an attacker can replace the legitimate binary with a malicious one. When the service restarts, the malicious code runs as a privileged service. Service Configuration Hijacking: Using the command nssm install nssm set AppParameters
, an attacker with sufficient local rights can redirect a service to execute their own scripts or payloads instead of the intended application. Interactive Shell Creation: A common technique involves setting a service type to SERVICE_INTERACTIVE_PROCESS nssm set Type SERVICE_INTERACTIVE_PROCESS . If the service runs as LocalSystem
, it can potentially allow an attacker to interact with a system-level desktop. Vulnerability Chaining: Advanced attackers, such as the Akira Ransomware group
, use NSSM 2.24 to create persistent malicious services named "sysmon" or "edge.exe" to launch tunneling tools like for remote access. National Institute of Standards and Technology (.gov) Recent Vulnerability: CVE-2025-41686 A critical flaw (
) was discovered in 2025 affecting various products that bundle
. It allows low-privileged local attackers to exploit improper permissions to gain full administrative access by manipulating the file and executing malicious commands. certvde.com Recommended Mitigation: Ensure that the
binary and the directories it resides in are protected by strict Access Control Lists (ACLs) , allowing only administrators write access.
Update any software bundling NSSM to the latest versions (e.g., Phoenix Contact DaUM version or later).
Monitor for unusual service creation events (Event ID 7045) or changes to service configurations. Phoenix Contact to audit the permissions of all instances on your system? CVE-2016-20033 Detail - NVD nssm224 privilege escalation updated
Exploiting the "Non-Sucking Service Manager": A Look at NSSM-Based Privilege Escalation Non-Sucking Service Manager (NSSM)
is a beloved tool in the Windows administration world for its simplicity in turning any executable into a background service. However, recent disclosures have highlighted how improper deployment of can become a high-speed lane for Local Privilege Escalation (LPE)
If you are managing Windows environments, here is the updated breakdown of how these vulnerabilities work and how to lock them down. 1. The Core Vulnerability: Weak File Permissions The most common way
is abused isn't through a bug in the code itself, but through improper file permissions during installation.
: Installers for various software packages (like Phoenix Contact or Wowza Streaming Engine) sometimes place in directories where the "Everyone" "Authenticated Users" group has "Write" or "Full Control" permissions. The Exploit : A low-privileged user can simply rename the original
and replace it with a malicious binary (e.g., a reverse shell) named The Escalation
: When the system reboots or the service restarts, the Windows Service Control Manager executes the malicious file with Administrator privileges. 2. Unquoted Service Paths
Another classic attack vector involves how NSSM is registered in the Windows registry.
: If a service path containing spaces is not enclosed in quotation marks (e.g., C:\Program Files\My Service\nssm.exe
), Windows may attempt to execute files at each space-delimited break. The Exploit
: An attacker with write access to the root directory could place a malicious file at C:\Program.exe . When the service tries to start, Windows may execute C:\Program.exe instead of the intended file deep in the Program Files 3. Persistence via NSSM Beyond escalation, threat actors frequently use NSSM for persistence The Non-Sucking Service Manager ( ) version 2
. Because it is a legitimate, signed tool, it often bypasses basic security filters. Attackers use it to ensure their backdoors or coinminers (like XMRig) stay running even if the process crashes or the system reboots. Recent Notable CVEs Affected Product CVE-2025-41686 Phoenix Contact DAUM Low-privileged local users gain admin access via improper permissions. CVE-2016-20033 Wowza Streaming Engine
(Updated 2026) Verified exploitation via "Everyone" group full access to service binaries. CVE-2016-8742 Apache CouchDB Local users could substitute due to inherited parent directory permissions. How to Defend Your Systems
To prevent your service manager from becoming a security liability, follow these best practices:
Exploitation for Privilege Escalation, Technique T1068 - Enterprise
While "NSSM224" is not an official CVE identifier, it likely refers to updated exploit techniques for the Non-Sucking Service Manager (NSSM), a popular tool for running applications as Windows services. NSSM is often targeted for Local Privilege Escalation (LPE) due to its ability to run binaries with SYSTEM privileges, especially if the service configuration or the binaries it points to have insecure permissions. Overview of NSSM Privilege Escalation
Privilege escalation via NSSM typically occurs when an attacker gains low-privilege access to a machine and identifies a service managed by NSSM that is misconfigured.
Insecure File Permissions: If the binary file executed by NSSM is located in a directory where a low-privileged user has "Write" or "Modify" permissions, the attacker can replace the legitimate binary with a malicious one (e.g., a reverse shell). When the service restarts, it executes the malicious binary with SYSTEM privileges.
Unquoted Service Paths: If the path to the NSSM executable contains spaces and is not enclosed in quotes, Windows may attempt to execute files at intercept points (e.g., C:\Program.exe instead of C:\Program Files\nssm.exe).
Registry Weakness: NSSM stores service parameters in the Windows Registry. If a user has "Full Control" or "Set Value" permissions over the registry keys under HKLM\SYSTEM\CurrentControlSet\Services\[ServiceName]\Parameters, they can change the AppDirectory or Application values to point to a malicious script. Updated Exploit Techniques (2024–2026)
Recent write-ups and tools like WinPEAS have updated their checks to specifically flag NSSM-managed services for the following:
Service Binary Replacement: Attackers check the Application registry value to find the exact binary NSSM is calling. Security researchers from MDSec have documented similar "junction" and "symbolic link" attacks in Windows services to redirect file operations, which can be applied to NSSM's file logging features. The "Updated" NSSM-224: What Has Changed
Log File Redirection: NSSM allows redirecting stdout and stderr to a file. If an attacker can manipulate these file paths to point to sensitive system files (like win.ini or system binaries), they may be able to corrupt or overwrite them to gain control. Mitigation and Prevention
To secure NSSM against updated privilege escalation methods:
Restrict Registry Access: Ensure that only SYSTEM and Administrators have write access to HKLM\SYSTEM\CurrentControlSet\Services.
Secure Installation Directories: Always install NSSM and the applications it manages in C:\Program Files\ or other directories with strict Access Control Lists (ACLs).
Use Quoted Paths: Always ensure the "Path to executable" is properly quoted in the service configuration.
Monitor Service Restarts: Use EDR tools to monitor for unusual service restarts or changes to service parameters, which are often precursors to an exploit.
CVE-2024-20656 - Local Privilege Escalation in the ... - MDSec
The "Updated" NSSM-224: What Has Changed?
Recent research (late 2024 through mid-2025) has identified three updated variants of the NSSM-224 technique. These are not patches to NSSM but rather new ways to abuse it in modern Windows environments.
Update 2: Path-Relayed DLL Planting via NSSM’s Working Directory
The second updated finding involves NSSM’s Startup directory setting. By default, NSSM launches the service within the directory of the target executable. If the attacker can write to a parent directory, they can perform a DLL planting attack:
- Identify a service using NSSM that loads a missing DLL (via
SetDllDirectory or insecure LoadLibrary).
- Write a malicious
version.dll or winhttp.dll into the working directory.
- Restart the service – NSSM runs the legitimate EXE but loads the attacker’s DLL with service privileges.
This is updated because newer Windows defenses like Safe DLL Search Mode do not block this if the working directory is first in the search order.
3.4 Weak Service DACL
Sigma Rule for Service Modification
title: NSSM Service ImagePath Tampering
status: experimental
logsource:
product: windows
service: security
detection:
EventID: 4697
ImagePath|contains: 'nssm'
User: 'S-1-5-21-*'
condition: selection