Nssm-2.24 Privilege Escalation [extra Quality] Direct
: While NSSM development is infrequent, ensure you are using the most stable version and auditing the service creation process for common Windows misconfigurations.
Windows Event Logs are crucial for this monitoring. NSSM logs its activity to the system Application event log, providing valuable forensic data.
Organizations using affected applications should immediately apply vendor-supplied patches:
icacls "C:\Path\To\nssm.exe" /remove "Authenticated Users" /t icacls "C:\Path\To\nssm.exe" /remove "Users" /t nssm-2.24 privilege escalation
Security researchers and red teams use automated tools like WinPEAS , PowerUp.ps1 , or standard Windows CLI commands to identify and exploit this configuration weakness. CVE-2025-41686 Detail - NVD
The root cause was that all files in the CouchDB installation inherited file permissions from the parent directory, where the installer had granted the to the "Authenticated Users" group . Consequently, a standard non-administrator user could replace the nssm.exe binary with any executable of their choice. Upon service restart or system reboot, that executable would run with LocalSystem privileges , enabling the attacker to create a backdoor administrator account and achieve complete system compromise.
Furthermore, specific to NSSM 2.24, the tool allows the modification of the AppParameters or Application registry keys (located at HKLM\SYSTEM\CurrentControlSet\Services\ServiceName\Parameters ) without strict integrity checks if the attacker has sufficient privileges to modify the service configuration (often achievable via standard user rights if service permissions are misconfigured). : While NSSM development is infrequent, ensure you
💡 Use the command accesschk.exe from the Sysinternals suite to quickly identify any services with weak permissions in your environment. If you'd like, I can help you with:
: Many applications bundle nssm.exe but fail to secure its directory. For example, if a "Users" group has full control (the 'F' flag) over the binary or its parent folder, an attacker can replace nssm.exe with a malicious rootkit. When the service restarts, it executes the replacement with elevated privileges.
While is a legitimate tool used to manage Windows services, it is often central to privilege escalation attacks due to improper deployment permissions rather than a flaw in its own source code . Upon service restart or system reboot, that executable
Beyond the security vulnerabilities, administrators should be aware of several operational bugs in version 2.24 documented on the official NSSM website:
$ cd C:\ProgramData\SomeApp\bin
When the service restarts, Windows may interpret the path as: C:\Program.exe with arguments Files\App\nssm.exe .