If an attacker has write access to a directory involved in the service execution chain (e.g., a directory with weak permissions where the service binary resides or a path containing spaces without quotes), they can plant a malicious executable. When the service is started or restarted, the operating system or NSSM will execute the malicious file with SYSTEM privileges.
Knowing this will allow me to provide specific configuration scripts or audit commands for your workflow. AI responses may include mistakes. Learn more Share public link
The attacker changes the binPath to point to a malicious executable they control: nssm-2.24 privilege escalation
Furthermore, specific to NSSM 2.24, the tool allows the modification of the AppParameters or Application registry keys (located at HKLM\SYSTEM\CurrentControlSet\Services\ServiceName\Parameters ) without strict integrity checks if the attacker has sufficient privileges to modify the service configuration (often achievable via standard user rights if service permissions are misconfigured).
The following products and versions have been identified as vulnerable to NSSM-related privilege escalation vulnerabilities: If an attacker has write access to a
Implement Windows Defender Application Control (WDAC) or AppLocker to restrict execution of binaries to only those that are signed and trusted. This can prevent execution of malicious binaries even if replacement occurs.
NSSM 2.24 is frequently cited in security advisories because third-party installers (like or Wowza Streaming Engine ) often deploy it with weak directory permissions. Because NSSM typically runs with SYSTEM privileges, any user who can replace the nssm.exe file can effectively take over the entire machine. AI responses may include mistakes
The security community continues to identify and responsibly disclose these vulnerabilities. By understanding the technical details and implementing robust mitigations, organizations can protect their Windows environments from privilege escalation attacks leveraging NSSM.
A key issue with NSSM 2.24 is its reliance on configuration files (often stored in the registry) and the potential for misconfigured permissions on the service wrapper itself. While NSSM is designed to handle services, it doesn't automatically secure the paths of the applications it launches.