Privilege escalation using NSSM 2.24 typically stems from or unquoted service path vulnerabilities , though it can also stem from improper configuration of the service it creates. 1. Unquoted Service Path Vulnerability
NSSM version 2.24 does not have inherent privilege escalation vulnerabilities in its code, but it is frequently used in local privilege escalation scenarios due to misconfigurations like insecure file permissions, unquoted service paths, or placement in writable folders. While often flagged by security tools, mitigation involves upgrading to the 2.25 pre-release, auditing permissions, and securing service paths. For specific bugs and fixes, refer to the NSSM Bug Tracker . Bugs - NSSM - the Non-Sucking Service Manager
wmic service where "pathname like '%nssm%'" get name, pathname
[Insert Date] Tags: #Windows #PrivilegeEscalation #NSSM #InfoSec nssm-2.24 privilege escalation
If the nssm.exe binary itself is placed in a directory with weak permissions, a standard user can replace the NSSM executable with a backdoored version. When any service managed by that NSSM instance runs, the attacker's code executes. Technical Analysis of the Threat
NSSM 2.24, when used to install a Windows service with default parameters, may create a service that allows a low-privileged, authenticated user to modify the service binary path or execute arbitrary commands as SYSTEM . This behavior results in a vulnerability.
Controllable parameters or configuration files Privilege escalation using NSSM 2
Understanding the technical vulnerabilities is only half the battle. To truly appreciate the threat, it is essential to walk through the steps an attacker would take to exploit these flaws in a real-world environment.
To understand the full impact, it is useful to map the known vulnerabilities across different software implementations:
The issue is not a memory corruption bug but a : While often flagged by security tools, mitigation involves
NSSM operates by acting as a wrapper. When you register a service using NSSM, Windows actually starts nssm.exe . In turn, NSSM reads configuration parameters from the Windows Registry to determine which actual executable, arguments, and I/O redirection to spin up.
The risk is too high for any environment with multiple users or exposure to untrusted code. The convenience of NSSM does not outweigh the privilege escalation threat. Even if you "trust" your users, malware running as a user can rapidly abuse NSSM to gain SYSTEM.
An attacker with low-privileged access (e.g., a standard user on a compromised workstation or via a reverse shell) first enumerates all services:
If they lack service control permissions, they simply wait for a system administrator to reboot the server or for a scheduled task to trigger it. Once executed, the payload runs, and the user attacker is added to the local Administrators group. Remediation and Mitigation Strategies