Nssm-2.24 Privilege Escalation ((better)) 〈LIMITED〉
NSSM (Non-Sucking Service Manager) version 2.24 is a popular open-source utility for running executables as Windows services. While the tool itself is generally considered legitimate, version 2.24 has been linked to various local privilege escalation (LPE) vulnerabilities, often due to how it is integrated by third-party installers rather than a fundamental flaw in its own binary. Key Privilege Escalation Vectors
Attackers frequently target NSSM 2.24 installations to elevate from a low-privileged user to SYSTEM or Administrator rights using several techniques:
Improper File Permissions: Many applications bundle nssm.exe but fail to secure its directory. For example, if a "Users" group has full control (the 'F' flag) over the binary or its parent folder, an attacker can replace nssm.exe with a malicious rootkit. When the service restarts, it executes the replacement with elevated privileges.
Notable Case: CVE-2016-8742 affected Apache CouchDB, where improper directory inheritance allowed users to substitute the service launcher for their own code.
Unquoted Service Paths: If the path to nssm.exe contains spaces and is not enclosed in quotes (e.g., C:\Program Files\App\nssm.exe), Windows may attempt to execute files at every "space" in the path. An attacker can place a file like C:\Program.exe to intercept the service start and gain SYSTEM access.
Permissions Misconfiguration (CVE-2025-41686): A more recent vulnerability identified in products like Phoenix Contact Device and Update Management involves misconfigured permissions on nssm.exe specifically, allowing low-privileged local attackers to gain administrative access. Vulnerability Summary Table CVE-2016-8742 Detail - NVD nssm-2.24 privilege escalation
NSSM version 2.24 is vulnerable to local privilege escalation when installed with insecure file permissions, allowing low-privileged users to replace the executable and run malicious code as SYSTEM. The vulnerability stems from Weak Service Permissions where attackers modify the service binary path, requiring remediation via strict Access Control List (ACL) configuration on the executable directories. For more information, visit the official nssm.cc documentation.
NSSM version 2.24 does not have inherent privilege escalation vulnerabilities in its code, but it is frequently used in local privilege escalation scenarios due to misconfigurations like insecure file permissions, unquoted service paths, or placement in writable folders. While often flagged by security tools, mitigation involves upgrading to the 2.25 pre-release, auditing permissions, and securing service paths. For specific bugs and fixes, refer to the NSSM Bug Tracker. Bugs - NSSM - the Non-Sucking Service Manager
(Non-Sucking Service Manager) does not have a single, direct CVE for a "built-in" privilege escalation flaw, it is
frequently used by attackers and identified in vulnerabilities where its misconfiguration improper installation
by third-party software allows for local privilege escalation (LPE) Phoenix Contact NSSM (Non-Sucking Service Manager) version 2
The most common ways privilege escalation occurs involving NSSM 2.24 include: 1. Insecure File Permissions
This is the most frequent exploitation path. Many installers deploy NSSM 2.24 with weak Access Control Lists (ACLs), such as granting the "Everyone" group "Full Control" or "Modify" rights to the folder where National Institute of Standards and Technology (.gov) The Attack : A low-privileged user replaces the legitimate
or the binary it launches with a malicious executable. When the service restarts (or the system reboots), the malicious code runs with privileges. Notable Examples IBM Robotic Process Automation
: Vulnerable to LPE because standard users could substitute the service binary. Apache CouchDB
: Vulnerable because files inherited parent directory permissions, allowing non-privileged users to swap the service launcher. Wowza Streaming Engine : Allowed authenticated users to replace nssm_x64.exe to gain LocalSystem rights. National Institute of Standards and Technology (.gov) 2. Unquoted Service Path Vulnerability If NSSM is installed in a path containing spaces (e.g., C:\Program Files\App\nssm.exe ) and the service's Install a benign test service
registry entry is not enclosed in double quotes, it is vulnerable to "Unquoted Service Path" exploitation. The Attack
: Windows will attempt to find and execute files along the path in order. For example, it might try to run C:\Program.exe
before reaching the intended file. An attacker can place a malicious Program.exe at the root of the drive to hijack the service execution. NSSM - the Non-Sucking Service Manager 3. Exploitation in Ransomware Campaigns
Registry Monitoring
- Changes to
HKLM\SYSTEM\CurrentControlSet\Services\<NSSM_Service>\Parameters\Application.
Install a benign test service
.\nssm.exe install ElevationTest cmd.exe
Mitigation / Fix
- Upgrade to NSSM 2.24.1+ (if a patched version exists — check official site).
- Manually fix: Set the service DACL to allow only
SYSTEMandAdministratorsto modify the service or its registry keys.sc sdset MyNSSMService "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)" - Alternative: Use a more secure service wrapper (e.g.,
WinSWwith config protection, or Windows built-insc+ proper ACLs). - Monitor for changes to
binPathorParameters\Applicationkeys.
Description
When NSSM installs a service using the command:
nssm install <ServiceName> <path-to-executable>
It creates a service with the following security descriptor (by default):
- Start type: Auto/Demand (user choice)
- Service account: LocalSystem
- Service permissions:
The service’s security descriptor grantsSERVICE_START,SERVICE_STOP,SERVICE_QUERY_CONFIG, andSERVICE_CHANGE_CONFIGto theEveryoneorAuthenticated Usersgroup, depending on Windows version and NSSM build flags.
This allows an unprivileged user to:
- Query and modify the service configuration.
- Change the
binPathto point to a malicious executable. - Restart the service and execute arbitrary code as
SYSTEM.
For NSSM users:
- Explicitly set service permissions during installation using
nssm set <service> ObjectNameor usesc sdshow/sc sdsetto harden. - Example: Restrict change config to Administrators only:
sc sdset vuln_svc "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)"
