Nssm224 Privilege Escalation Updated Jun 2026

Note: this write-up is intended for defenders, system administrators, and security professionals for risk assessment and remediation. Do not use it for unauthorized testing.

Windows services typically run with elevated privileges, such as NT AUTHORITY\SYSTEM . When an administrator uses NSSM to wrap an application (like a Java app, Python script, or binary) into a service, NSSM handles the service start, stop, and monitoring operations. Attackers target NSSM configurations because:

Always wrap service paths in quotation marks during creation to eliminate the risk of unquoted service path exploitation. nssm224 privilege escalation updated

Ensure that any directory containing binaries managed by NSSM restricts write permissions exclusively to Administrators and SYSTEM . Remove Modify or Write permissions for Authenticated Users , Everyone , and Users .

nssm (Non-Sucking Service Manager) is a service manager for Windows that allows you to manage services on a Windows system. It's a popular alternative to the built-in Windows Service Manager. Note: this write-up is intended for defenders, system

version 2.24 where it may fail to properly handle permissions, potentially allowing an attacker to elevate their privileges to

To prevent exploitation of the nssm 224 privilege escalation vulnerability: When an administrator uses NSSM to wrap an

Defenders can spot NSSM privilege escalation attempts by monitoring specific artifacts:

Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-41E9-8E09-387D72F48587 -AttackSurfaceReductionRules_Actions Enabled

Edit the ImagePath value to include quotes: "C:\Program Files\App Folder\nssm.exe" . 2. Fix Service Permissions

# Check for vulnerable service sc.exe sdshow VulnService # Look for (A;;CCLCSWLOCRRC;;;AU) - Authenticated Users can change config