Nssm-2.24 Privilege Escalation
: None (Can be done entirely quietly in the background). đź’» Step-by-Step Exploitation Mechanics
When the service restarts (either via a system reboot or manual trigger), the malicious binary runs with SYSTEM privileges. The "AppDirectory" and Registry Weakness
: If a service's executable path contains spaces and is not enclosed in double quotes, Windows may misinterpret the path. For example, if the path is C:\Program Files\My Service\nssm.exe , Windows might try to execute C:\Program.exe first.
In this simplified scenario, the Authenticated Users:C permission indicates that any authenticated user has Change permission—the critical weakness that enables the attack. nssm-2.24 privilege escalation
Organizations must take immediate action to identify instances of NSSM 2.24 across their environments, apply available patches or mitigations, and implement robust monitoring for binary replacement attacks. The discovery of vulnerabilities like CVE-2025-41686, CVE-2016-8742, and CVE-2016-20033 demonstrates that even widely trusted administrative tools can introduce critical security risks when misconfigured.
To help tailor these security steps, please share a few details about your environment:
: Windows will attempt to find and execute files along the path in order. For example, it might try to run C:\Program.exe : None (Can be done entirely quietly in the background)
Are you currently , or are you looking to secure a new deployment ?
: NSSM stores its service parameters in the Registry. If the permissions on these Registry keys are too loose, a user can modify the AppParameters or Application string to execute a different command when the service starts.
Exploitation conditions (what an attacker needs) For example, if the path is C:\Program Files\My Service\nssm
| Metric | Value | |--------|-------| | Attack Vector | Local (AV:L) | | Attack Complexity | Low (AC:L) | | Privileges Required | Low (PR:L) | | User Interaction | None (UI:N) | | Confidentiality Impact | High (C:H) | | Integrity Impact | High (I:H) | | Availability Impact | High (A:H) |
A service is configured to run: C:\Program Files\App\nssm.exe
