Nssm-2.24 Privilege Escalation May 2026
The attacker stops and restarts the service (if they have SERVICE_START and SERVICE_STOP rights) or waits for a system reboot:
net stop <service_name>
net start <service_name>
The service runs as LOCAL SYSTEM (by default for manually installed services), executing malware.exe with the highest privileges.
NSSM 2.24 does not enforce a restrictive DACL (Discretionary Access Control List) on created services. Instead, it relies on Windows defaults, which may allow SERVICE_CHANGE_CONFIG to non-admin users when the service is created during an administrative session but without explicit security hardening.
When NSSM installs a service using the command:
nssm install <ServiceName> <path-to-executable>
It creates a service with the following security descriptor (by default):
This allows an unprivileged user to:
Later versions of NSSM (2.24.1, 2.25, and above) introduced critical safeguards:
Version 2.24 was the last build before these patches. It exists in countless enterprise golden images, legacy application stacks, and developer test environments where security updates are deprioritized.
The malware can now add a new admin user, dump credentials from LSASS, or implant a backdoor—all while masquerading as a legitimate service.
A dangerous weakness exists in NSSM (Non-Sucking Service Manager) versions 2.24 and below. If an attacker has medium integrity (standard user) access to a system where an NSSM service runs as SYSTEM, they can trivially escalate to NT AUTHORITY\SYSTEM by abusing the service’s binary path.
Published: For educational and defensive security purposes. Always obtain permission before testing on any system you do not own.
(Non-Sucking Service Manager) does not have a single, direct CVE for a "built-in" privilege escalation flaw, it is nssm-2.24 privilege escalation
frequently used by attackers and identified in vulnerabilities where its misconfiguration improper installation
by third-party software allows for local privilege escalation (LPE) Phoenix Contact
The most common ways privilege escalation occurs involving NSSM 2.24 include: 1. Insecure File Permissions
This is the most frequent exploitation path. Many installers deploy NSSM 2.24 with weak Access Control Lists (ACLs), such as granting the "Everyone" group "Full Control" or "Modify" rights to the folder where National Institute of Standards and Technology (.gov) The Attack : A low-privileged user replaces the legitimate
or the binary it launches with a malicious executable. When the service restarts (or the system reboots), the malicious code runs with privileges. Notable Examples IBM Robotic Process Automation
: Vulnerable to LPE because standard users could substitute the service binary. Apache CouchDB
: Vulnerable because files inherited parent directory permissions, allowing non-privileged users to swap the service launcher. Wowza Streaming Engine : Allowed authenticated users to replace nssm_x64.exe to gain LocalSystem rights. National Institute of Standards and Technology (.gov) 2. Unquoted Service Path Vulnerability If NSSM is installed in a path containing spaces (e.g., C:\Program Files\App\nssm.exe ) and the service's
registry entry is not enclosed in double quotes, it is vulnerable to "Unquoted Service Path" exploitation. The Attack
: Windows will attempt to find and execute files along the path in order. For example, it might try to run C:\Program.exe
before reaching the intended file. An attacker can place a malicious Program.exe at the root of the drive to hijack the service execution. NSSM - the Non-Sucking Service Manager 3. Exploitation in Ransomware Campaigns
Non-Sucking Service Manager (NSSM) version 2.24 does not have a unique, built-in "exploit" or CVE inherent to its code. Instead, privilege escalation involving NSSM almost always stems from insecure deployment configurations The attacker stops and restarts the service (if
. Because NSSM is an executable used to wrap other applications as services, it is a high-value target for attackers who have already gained a foothold on a system. Primary Escalation Vectors
When NSSM 2.24 is present, it is usually targeted via three common Windows service misconfigurations: Head Mare and Twelve: Joint attacks on Russian entities
For NSSM 2.24, a critical feature to address privilege escalation vulnerabilities is a Permission Integrity Check & Lockdown module.
This feature focuses on mitigating the primary way attackers exploit NSSM: replacing the nssm.exe binary or its associated application executable due to insecure file permissions. Key Components of the "Secure Lockdown" Feature
Automated Permission Audit: Upon service installation or startup, NSSM should scan its own binary path and the target application path. It would flag if high-risk groups (e.g., "Everyone," "Users," or "Authenticated Users") have Write or Full Control permissions.
Mandatory Quoted Paths: The tool should automatically enforce quoted service paths in the Windows registry to prevent "Unquoted Service Path" exploits, where Windows might execute a malicious binary with a similar name in a parent folder.
Binary Hash Verification: A feature that allows administrators to register a SHA-256 hash of the legitimate application executable. NSSM would verify this hash before every launch; if the binary has been replaced (a common privilege escalation tactic), NSSM would refuse to start the service.
"Least Privilege" Mode: A toggle to ensure the service defaults to a virtual account or a low-privileged user instead of the "LocalSystem" account, which is the most frequent target for attackers looking for administrative control. Why this is needed
NSSM 2.24 is frequently cited in security advisories because third-party installers (like CouchDB or Wowza Streaming Engine) often deploy it with weak directory permissions. Because NSSM typically runs with SYSTEM privileges, any user who can replace the nssm.exe file can effectively take over the entire machine.
I can provide PowerShell scripts to manually audit your current NSSM services or help you harden the registry keys for an existing setup. Which would you prefer? CVE-2016-20033 Detail - NVD
While NSSM 2.24 is a legitimate tool used to manage Windows services, it is often central to privilege escalation attacks due to improper deployment permissions rather than a flaw in its own source code. The service runs as LOCAL SYSTEM (by default
When NSSM is bundled with third-party installers, it frequently inherits weak folder or file permissions, allowing low-privileged users to replace the nssm.exe binary or its managed application with malicious code. Key Attack Vectors
Improper File Permissions: Many applications (e.g., Wowza Streaming Engine, Apache CouchDB, Phoenix Contact) have been found to install NSSM with "Full Control" for the "Everyone" or "Users" group. Attackers can swap the binary with a malicious executable, which then runs with SYSTEM privileges upon the next service restart.
Unquoted Service Paths: If the service path to NSSM contains spaces and is not enclosed in quotes, Windows may attempt to execute files at different points in the path. For example, if installed in C:\Program Files (x86)\App Name\nssm.exe, an attacker with write access to C:\ could place a malicious file at C:\Program.exe to gain elevated access.
Weak Registry Permissions: If the registry keys governing the NSSM service (e.g., ImagePath) are writable by unprivileged users, they can modify the service configuration to execute arbitrary payloads. Known Affected Products (Examples)
Wowza Streaming Engine 4.5.0: Vulnerable via replacing the nssm_x64.exe binary due to improper permissions.
Apache CouchDB 2.0.0: Vulnerable because files inherited parent directory permissions, allowing the substitution of nssm.exe.
Phoenix Contact Device & Update Management: Misconfigured permissions on nssm.exe allowed local privilege escalation. Mitigation and Defense
Windows Privilege Escalation — Part 1 (Unquoted Service Path)
Title: From Service Manager to SYSTEM: Abusing NSSM 2.24 for Privilege Escalation
Date: [Insert Date] Tags: #Windows #PrivilegeEscalation #NSSM #InfoSec
