Nssm-2.24 Privilege Escalation 'link' 🔔

Later versions of NSSM (2.24.1, 2.25, and above) introduced critical safeguards:

The malicious Program.exe runs with elevated SYSTEM privileges. 2. Service Path Interception (Weak Permissions)

Open regedit and navigate to HKLM\SYSTEM\CurrentControlSet\Services\ .

When administrators want a standard script, Java application, or Node.js program to run continuously in the background on startup, they often turn to NSSM. nssm-2.24 privilege escalation

This allows an unprivileged user to:

– Configure NSSM services to run as a managed service account (gMSA) instead of LOCAL SYSTEM.

nssm version

Implementing a robust Endpoint Detection and Response (EDR) solution can block the execution of untrusted binaries from replacing nssm.exe .

Historically, multiple notable CVEs (such as CVE-2016-8742 in Apache CouchDB and CVE-2025-41686 in Phoenix Contact Device and Update Management ) have been registered because wrappers around NSSM failed to restrict system modifications. Primary Vectors for NSSM-Based Privilege Escalation

If the BINARY_PATH_NAME points to an NSSM executable (e.g., C:\nssm-2.24\win32\nssm.exe ), the service is a candidate. Later versions of NSSM (2

This article explores the technical details of the NSSM 2.24 privilege escalation, how it is exploited, and, more importantly, how to secure systems against it. What is the NSSM 2.24 Privilege Escalation?

sc config vuln_svc binPath= "C:\evil\shell.exe" sc stop vuln_svc sc start vuln_svc