This article provides an in-depth look at these updated threats, explaining why misconfigurations of NSSM pose a severe risk of local privilege escalation (LPE) and outlining the essential steps for mitigation.
The Non-Sucking Service Manager (NSSM) is a popular open-source utility used to run command-line applications as Windows services. Despite its utility, specific misconfigurations and legacy versions have exposed systems to local privilege escalation (LPE) vulnerabilities. This analysis covers the mechanics of the NSSM privilege escalation vector, why it remains a critical focus for security teams, and how to secure your environment against it. Understanding the Vulnerability
NSSM itself is not inherently malicious, nor is version 2.24 universally broken by a single CVE flaw in the executable binary. Instead, privilege escalation occurs due to . nssm224 privilege escalation updated
CVE‑2025‑41686 is a local privilege escalation vulnerability with a . The flaw stems from improper file permissions on the nssm.exe executable within the installation directories of various software products that bundle NSSM. A low‑privileged local attacker can exploit these overly permissive permissions to replace the legitimate nssm.exe with a malicious executable. When the associated Windows service (which often runs with SYSTEM privileges) is restarted — either by an administrator, a scheduled task, or a system reboot — the attacker’s payload executes with administrative rights, granting full control over the compromised machine.
Always wrap service paths in quotation marks during creation to eliminate the risk of unquoted service path exploitation. This article provides an in-depth look at these
NSSM stores service configurations in the Windows Registry. If a standard user can modify the ImagePath or Parameters keys for an NSSM-managed service, they can redirect the service to run a malicious script with elevated privileges upon the next restart. Updated Defensive Strategies for 2026
(active in early 2025) has been observed deploying NSSM to configure malicious services after gaining an initial foothold through other means. National Institute of Standards and Technology (.gov) Summary Table: Key Vulnerability Data CVE-2024-51448 Detail - NVD 18 Jan 2025 — This analysis covers the mechanics of the NSSM
What are your target servers running?
Get-WmiObject win32_service | Select-Object Name, DisplayName, PathName, StartMode Use code with caution.
: If the path to the NSSM executable contains spaces and is not enclosed in quotes, Windows may attempt to execute files at intercept points (e.g., C:\Program.exe instead of C:\Program Files\nssm.exe ).