Nssm-2.24 Privilege Escalation ((exclusive)) (8K)
NSSM 2.24 is the last "stable" release of the tool (though pre-release 2.25 exists to address bugs). It provides functionality to monitor applications, restart them if they crash, and ensure they start during the boot process. Many commercial products bundle NSSM 2.24 to handle their service management. The NSSM 2.24 Privilege Escalation Mechanism
Are you looking to for your Windows services?
Secure the registry path: HKLM\System\CurrentControlSet\Services\ nssm-2.24 privilege escalation
The "nssm-2.24 privilege escalation" vulnerability serves as a powerful reminder that security is not just about code flaws, but also about configuration hygiene. The issues in CVE-2025-41686, CVE-2024-51448, and CVE-2016-20033 stem from a simple, repeated mistake: .
: The attacker replaces the legitimate nssm.exe or the underlying script/executable with a malicious payload (e.g., a reverse shell executable). NSSM 2
The for CVE-2025-41686 and CVE-2016-20033 reflects the ease of exploitation (Low Attack Complexity, Low Privileges Required) and the severe consequences. CVE-2024-51448, with a score of 6.7 (Medium), is less severe because it requires an attacker to already have "High" privileges to exploit it, though it still enables a jump to Administrator.
Another recurring issue is the inheritance of insecure permissions. When NSSM is installed as part of a larger application bundle (rather than standalone), it often inherits the file permissions of the parent installation directory. In many cases, the installer sets weak permissions for the entire folder structure, granting "Modify" or "Write" access to standard users. The NSSM 2
, have been observed using NSSM to create malicious services (e.g., "sysmon") that launch tunneling tools or establish persistence with elevated rights. Investigative & Security Steps To identify or prevent these issues, administrators should: Phoenix Contact
NSSM-2.24 remains a valuable tool in the Windows administrator's arsenal. Its ability to wrap arbitrary executables as resilient services is unmatched in simplicity. However, this value comes with a hidden cost. The vulnerabilities—ranging from CVE-2025-41686's improper permissions to the widespread unquoted service path issues—transform a utility into a reliable privilege escalation vector for any attacker with local access.