Nssm-2.24 Privilege Escalation Fixed -
Windows Event Logs are crucial for this monitoring. NSSM logs its activity to the system Application event log, providing valuable forensic data.
As defenders, we must treat every binary on our systems—especially those capable of managing services—as a potential threat vector. The presence of NSSM 2.24 on a machine should be considered a critical finding, equivalent to an unpatched local exploit.
To prevent NSSM-2.24 privilege escalation, follow these security hardening steps:
This vulnerability, discovered in mid-2025, allows a low-privileged local attacker to exploit set on the nssm.exe file. This misconfiguration enables an authenticated user to replace the legitimate nssm.exe binary with a malicious one. Once replaced, the next time NSSM is invoked—whether by a service restart, a scheduled task, or an unsuspecting administrator—the malicious code executes with the elevated privileges of the calling process. Typically, this means the attacker can gain SYSTEM or Administrator-level access , allowing them to install malware, create new administrative users, or exfiltrate sensitive data. nssm-2.24 privilege escalation
The attacker changes the binPath to point to a malicious executable they control:
A service is created using NSSM to run under the LocalSystem account.
NSSM stores its configuration in the Windows Registry under HKLM\System\CurrentControlSet\Services\ \Parameters . Windows Event Logs are crucial for this monitoring
# Copy the vulnerable binary to a writable location copy "%ProgramFiles%\NSSM\nssm-2.24.exe" .\nssm.exe
The service path is discovered to be C:\Program Files\Application Path\nssm.exe without quotes.
for their own tools (e.g., tunneling software or ransomware) while appearing as a standard system service. medium.com Vulnerability Indicators Microsoft Windows Unquoted Service Path Enumeration The presence of NSSM 2
Knowing this will allow me to provide specific configuration scripts or audit commands for your workflow. AI responses may include mistakes. Learn more Share public link
If permissions are weak, the attacker renames the original nssm.exe and uploads a malicious executable with the same name.
Understanding NSSM 2.24 Privilege Escalation: Vulnerability Analysis and Remediation
: Implement strict controls on who can modify service configurations. Only administrators should have the ability to create or modify services.
Organizations using affected applications should immediately apply vendor-supplied patches: