Exclusive: Nssm-2.24 Privilege Escalation

If NSSM 2.24 is installed to manage a service, and the executable path contains spaces but is not surrounded by quotes, a local attacker can exploit this.

This is the most common real-world scenario. When an administrator installs NSSM or the application it wraps, they often place the binaries into custom directories (e.g., C:\Apps\MyService\ ).

They then check for NSSM-managed services by looking for display names or descriptions containing "NSSM" or by inspecting the binary path:

This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.

on a specific service directory.

Practical detection (quick checks)

sc config <service_name> binPath= "C:\temp\malware.exe"

– Configure NSSM services to run as a managed service account (gMSA) instead of LOCAL SYSTEM.

Would you like a of how to detect weak NSSM service configurations instead? nssm-2.24 privilege escalation

The "nssm-2.24 privilege escalation" vulnerability serves as a powerful reminder that security is not just about code flaws, but also about configuration hygiene. The issues in CVE-2025-41686, CVE-2024-51448, and CVE-2016-20033 stem from a simple, repeated mistake: .

If you’re a security researcher testing NSSM 2.24 in a lab, review:

| Metric | Value | |--------|-------| | Attack Vector | Local (AV:L) | | Attack Complexity | Low (AC:L) | | Privileges Required | Low (PR:L) | | User Interaction | None (UI:N) | | Confidentiality Impact | High (C:H) | | Integrity Impact | High (I:H) | | Availability Impact | High (A:H) |

Before diving into the specific vulnerabilities, it is essential to understand what NSSM does and why it creates an attractive target for attackers. NSSM acts as a service wrapper that injects complete Windows service lifecycle management capabilities into ordinary executable programs without requiring code modification. When the service starts, the NSSM process takes control and runs the target executable with specified user contexts—often LocalSystem, NetworkService, or custom domain accounts. It monitors the process, restarts it upon failure, and forwards control requests from the Service Control Manager (SCM). If NSSM 2

Mitigations and remediation

The "Non-Sucking Service Manager" () version 2.24 is frequently featured in cybersecurity "stories" or labs because it is a textbook example of how a helpful administrative tool can be turned into a vehicle for Local Privilege Escalation (LPE) on Windows systems . The Core Vulnerability

sc qc <service_name>