Nssm-2.24 Privilege Escalation !!top!! Jun 2026

: An attacker gains low-level interactive access to the target system (e.g., through a compromised user account, phishing, or remote access trojan).

Several CVEs have been issued related to privilege escalation through NSSM, primarily stemming from incorrect permission settings on the nssm.exe binary. The most critical of these is detailed below.

The most effective fix is ensuring standard users cannot write to service directories. Restrict write access to Administrators and SYSTEM only.

: The attacker enumerates installed services and identifies any running with NSSM, particularly those executing under high-privilege accounts (LocalSystem). nssm-2.24 privilege escalation

NSSM (Non-Sucking Service Manager) is a service manager for Windows that provides a more reliable and efficient way to manage services compared to the built-in Windows Service Manager. It is commonly used in production environments due to its flexibility and configurability. However, like any complex software, NSSM is not immune to security vulnerabilities. This review focuses on a privilege escalation vulnerability identified in NSSM version 2.24.

A conceptual exploitation flow proceeds as follows:

Or via registry (if direct sc fails):

:

The most significant risk with NSSM 2.24 is the vulnerability. This occurs when the path to the nssm.exe binary or the application it manages contains spaces and is not enclosed in quotation marks.

Attackers frequently target NSSM for several strategic reasons: : An attacker gains low-level interactive access to

sc config <service_name> binPath= "C:\temp\malware.exe"

A key issue with NSSM 2.24 is its reliance on configuration files (often stored in the registry) and the potential for misconfigured permissions on the service wrapper itself. While NSSM is designed to handle services, it doesn't automatically secure the paths of the applications it launches.

: If a service path is C:\Program Files\Service\nssm.exe , Windows will attempt to execute files in this order: C:\Program.exe C:\Program Files\Service.exe C:\Program Files\Service\nssm.exe The most effective fix is ensuring standard users

I can provide to manually audit your current NSSM services or help you harden the registry keys for an existing setup. Which would you prefer? CVE-2016-20033 Detail - NVD