Nssm224 Privilege Escalation Updated ((hot)) -
If the directory containing the target executable (or the NSSM.exe binary itself) has weak Access Control Lists (ACLs), a low-privileged user can modify or replace the binary.
To check for weak registry permissions on the NSSM service parameters:
version 2.24, a popular Windows tool used to run applications as services. Although NSSM 2.24 has been a standard release for years, recent security advisories in 2024 and 2025 have highlighted critical privilege escalation risks when it is bundled with other software. National Institute of Standards and Technology (.gov) Review of NSSM 2.24 Privilege Escalation Risks nssm224 privilege escalation updated
Install services into C:\Program Files\ or C:\Program Files (x86)\ .
If they lack service control permissions, they may simply wait for a system reboot or trigger an intentional crash if the service is configured to auto-restart. Upon restarting, NSSM executes exploit.exe with the privileges assigned to the service (usually SYSTEM ). Defensive Strategies and Remediation If the directory containing the target executable (or
The following is an attack simulation for authorized penetration testers and blue teams.
# Restrict change config to administrators only sc sdset VulnService "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)" National Institute of Standards and Technology (
: NSSM stores its configuration parameters under HKLM\SYSTEM\CurrentControlSet\Services\ \Parameters . If low-privilege users have write permissions to this registry key, they can modify the Application , AppDirectory , or AppParameters values to point to a malicious executable.
An attacker changes the Application string value within the registry to point to a malicious payload (e.g., cmd.exe or a reverse shell). When the service cycles, the payload runs as SYSTEM . 3. Unquoted Service Paths
Alternatively, searching the registry for NSSM installations:
– The attacker does not need to trick a user into clicking anything or running a suspicious file. The privilege escalation occurs automatically when the service next starts, whether through a crash, manual restart, or system reboot.
