Comsol -leaderboard other pages
Home

Topics

Reset your password

Please enter the e-mail address you used to register to reset your password

Registration complete

Thank you for registering
If you'd like to change your details at any time, please visit My account

Close

Nssm-2.24 Privilege Escalation Instant

16 May 2025

Nssm-2.24 Privilege Escalation Instant

Privilege escalation typically occurs not because of a bug in NSSM, but because of misconfigurations in the services it creates. In many cases, these misconfigurations allow a low-privileged user to gain SYSTEM or Administrator access. 1. Unquoted Service Paths

If the permissions on the folder where nssm.exe or its managed application resides are weak (e.g., BUILTIN\Users has Modify or Write permissions), an attacker can replace the legitimate binary with a malicious one. Since NSSM is designed to restart services if they crash, an attacker can simply kill the process and wait for NSSM to restart their malicious version. 3. Known Bugs in v2.24

In a locked-down environment, the user cannot start the service themselves. However, an attacker can simply wait for the server to reboot (or trigger a crash/reboot via another vector), at which point the service starts automatically.

: Exploiting the weak permissions, the attacker overwrites the legitimate nssm.exe binary with a malicious executable of their choosing. This is the critical step—the permissions flaw allows file modification without requiring administrative privileges. nssm-2.24 privilege escalation

: Vulnerable to LPE because standard users could substitute the service binary. Apache CouchDB

NSSM (Non-Sucking Service Manager) version 2.24 is a popular open-source utility for running executables as Windows services. While the tool itself is generally considered legitimate, version 2.24 has been linked to various local privilege escalation (LPE) vulnerabilities, often due to how it is integrated by third-party installers rather than a fundamental flaw in its own binary. Key Privilege Escalation Vectors

to scan for unquoted service paths.

If the registry keys governing the NSSM service have weak permissions, a low-privileged attacker can use tools like regedit or PowerShell to modify the Application string.

While "Write" is not a specific named feature within the tool itself, the vulnerability typically involves an attacker gaining to a directory where a service is installed or leveraging weak permissions on the NSSM executable itself to redirect service execution to a malicious payload. Privilege Escalation Mechanism

Summary

If you are running NSSM, understanding how an attacker can move from a low-privilege user to SYSTEM is critical for securing your infrastructure. What is NSSM?

Published: For educational and defensive security purposes. Always obtain permission before testing on any system you do not own.

Organizations must take immediate action to identify instances of NSSM 2.24 across their environments, apply available patches or mitigations, and implement robust monitoring for binary replacement attacks. The discovery of vulnerabilities like CVE-2025-41686, CVE-2016-8742, and CVE-2016-20033 demonstrates that even widely trusted administrative tools can introduce critical security risks when misconfigured. Privilege escalation typically occurs not because of a

Azadeh Maleknejad King’s College London.
Read previous

Particle Cosmology and Astrophysics
Read next

Advances in very-high-energy astrophysics

more from Cern Courier

CERN Courier Jobs

Events

Copyright © 2026 by CERN
bright-rec iop pub iop-science physcis connect