Nssm-2.24 Privilege Escalation
net stop MyNSSMService net start MyNSSMService
Before dissecting the vulnerabilities, it is essential to understand what NSSM is and why version 2.24 is so pervasive. NSSM, short for Non-Sucking Service Manager, is a service helper program. It solves a persistent problem in Windows: many simple applications and scripts are not designed to run as system services. NSSM bridges that gap by acting as a wrapper. It starts any application or command line script as a Windows service, automatically restarts it if it fails, and provides service-specific environment variables and logging capabilities. Unlike Microsoft’s own srvany.exe , NSSM is more robust, easier to configure, and remains actively maintained.
:
Before diving into the specific vulnerabilities, it is essential to understand what NSSM does and why it creates an attractive target for attackers. NSSM acts as a service wrapper that injects complete Windows service lifecycle management capabilities into ordinary executable programs without requiring code modification. When the service starts, the NSSM process takes control and runs the target executable with specified user contexts—often LocalSystem, NetworkService, or custom domain accounts. It monitors the process, restarts it upon failure, and forwards control requests from the Service Control Manager (SCM).
C:> copy malicious.exe "C:\Program Files\VulnerableApp\bin\nssm.exe" /Y C:> sc stop "VulnerableService" C:> sc start "VulnerableService" nssm-2.24 privilege escalation
To prevent your NSSM installation from becoming a gateway for attackers, follow these security best practices: 1. Audit File System Permissions
Version 2.24 was the last build before these patches. It exists in countless enterprise golden images, legacy application stacks, and developer test environments where security updates are deprioritized. NSSM bridges that gap by acting as a wrapper
This allows an unprivileged user to:
CVE-2024-51448 documents this exact behavior in IBM Robotic Process Automation. All files in the install inherited the file permissions of the parent directory, allowing a non-privileged user to substitute any executable for the nssm.exe service. A subsequent service restart would then execute the attacker's binary with administrator privileges, granting immediate escalation. : Before diving into the specific vulnerabilities, it
NSSM-2.24 remains a valuable tool in the Windows administrator's arsenal. Its ability to wrap arbitrary executables as resilient services is unmatched in simplicity. However, this value comes with a hidden cost. The vulnerabilities—ranging from CVE-2025-41686's improper permissions to the widespread unquoted service path issues—transform a utility into a reliable privilege escalation vector for any attacker with local access.