Privilege Escalation - Nssm-2.24

In a typical penetration testing or attack scenario, the exploit follows a predictable lifecycle. 1. Identifying the Vulnerable Service

Since NSSM is designed to restart the service if it fails, the attacker can either wait for a system reboot or manually crash the service if they have the rights. Once NSSM restarts the "service," it executes the attacker's payload with SYSTEM privileges. Remediation and Best Practices

Under this key, NSSM defines values like Application , AppDirectory , and AppParameters . nssm-2.24 privilege escalation

Always ensure that when setting up services with NSSM, the path to nssm.exe and the application it manages are enclosed in quotes, particularly if the path contains spaces.

Do you manage your services primarily through or standalone PowerShell scripts ? In a typical penetration testing or attack scenario,

: If a service created by NSSM has a path containing spaces and is not enclosed in quotation marks (e.g., C:\Program Files\My Service\nssm.exe

NSSM is designed to keep services running. If a service crashes, NSSM restarts it. It is often used by developers to run scripts, Java applications, or custom binaries as background services. Version 2.24 was a standard release for a long period, but it contains a flaw in how it handles file permissions and service configurations. The Core Vulnerability: Weak Permissions Once NSSM restarts the "service," it executes the

The for CVE-2025-41686 and CVE-2016-20033 reflects the ease of exploitation (Low Attack Complexity, Low Privileges Required) and the severe consequences. CVE-2024-51448, with a score of 6.7 (Medium), is less severe because it requires an attacker to already have "High" privileges to exploit it, though it still enables a jump to Administrator.

Technically, nssm.exe 2.24 does not contain an inherent, exploitable buffer overflow or logic flaw that grants privileges out-of-the-box. Instead, the risks originate from .