Skip to content

Nssm-2.24 Privilege Escalation

Root cause

Practical detection (quick checks)

References and further reading

: An attacker with low-level access replaces the nssm.exe binary with a malicious file (e.g., a reverse shell). Because NSSM usually runs as the LocalSystem account, the next time the service restarts, the attacker's code executes with full administrative power. Unquoted Service Paths : nssm-2.24 privilege escalation

Run the following command to correct permissions on your service folder:

A service is created using NSSM to run under the LocalSystem account.

Securing NSSM 2.24 deployments requires adhering to the principle of least privilege and ensuring rigid access controls. 1. Enforce Strict File and Folder ACLs Root cause Practical detection (quick checks) References and

Attackers frequently target NSSM 2.24 installations to elevate from a low-privileged user to or Administrator rights using several techniques:

Standard users should only have Read and Execute permissions.

: A known advisory (ZSL-2017-5418) highlighted how NSSM 2.24 in this software suite allowed non-privileged users to execute arbitrary code by replacing binaries in writable paths. Key Technical Details Vulnerable Version NSSM 2.24 (often bundled with third-party software) Common Path Securing NSSM 2

If NSSM 2.24 is installed to manage a service, and the executable path contains spaces but is not surrounded by quotes, a local attacker can exploit this.

Understanding and Mitigating NSSM 2.24 Privilege Escalation Vulnerabilities

This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.

: When the service resumes, the system executes the malicious binary under the context of the service's account—often LocalSystem , which possesses the highest level of privileges on the Windows operating system. The attacker can now perform any action restricted to system administrators, including altering system configurations, creating or modifying data, installing malware, or creating backdoor administrator accounts.

Verify that low-privileged accounts cannot modify the registry keys associated with Windows services.