Verify that low-privileged accounts cannot modify the registry keys associated with Windows services.
NSSM 2.24 itself creates a service. If the binary file of the application that NSSM is managing has weak permissions (e.g., Users: Modify or Users: Full Control ), a non-privileged user can replace the application executable with a payload. NSSM is configured to run C:\Service\App.exe . The directory C:\Service\ is writable by standard users. The user replaces App.exe with a malicious executable.
: Use sc qc [ServiceName] to check for unquoted paths or insecure binary locations. nssm-2.24 privilege escalation
: If the folder containing nssm.exe or its target application allows "Write" or "Modify" permissions for standard user groups (such as Authenticated Users or Everyone ), the system is vulnerable.
Implementing a robust Endpoint Detection and Response (EDR) solution can block the execution of untrusted binaries from replacing nssm.exe . NSSM is configured to run C:\Service\App
is a highly popular, open-source utility designed to run ordinary executables as background Windows services . While highly efficient, deploying nssm.exe v2.24 within corporate software installers introduces structural local privilege escalation (LPE) risks if the deployment is misconfigured.
NSSM (Non-Sucking Service Manager) version 2.24 is a popular open-source utility for running executables as Windows services. While the tool itself is generally considered legitimate, version 2.24 has been linked to various local privilege escalation (LPE) vulnerabilities, often due to how it is integrated by third-party installers rather than a fundamental flaw in its own binary. Key Privilege Escalation Vectors : Use sc qc [ServiceName] to check for
Deep Dive: Understanding and Exploiting NSSM 2.24 Local Privilege Escalation
NSSM 2.24 does not enforce a restrictive DACL (Discretionary Access Control List) on created services. Instead, it relies on Windows defaults, which may allow SERVICE_CHANGE_CONFIG to non-admin users when the service is created during an administrative session but without explicit security hardening.
Beyond the security vulnerabilities, administrators should be aware of several operational bugs in version 2.24 documented on the official NSSM website:
