Nssm-2.24 Privilege Escalation Here

sc config MyNSSMService binPath= "cmd.exe /c C:\temp\reverse_shell.exe"

: NSSM is widely deployed across enterprise environments and is considered a legitimate system administration tool, making it less likely to raise suspicion.

Use security auditing tools to scan for unquoted service paths ( [wmic service get name,displayname,pathname,startmode](https://microsoft.com) ).

on a specific service directory.

Security breaches resulting from such vulnerabilities can lead to regulatory compliance violations (GDPR, HIPAA, PCI-DSS, etc.), with associated financial penalties and reputational damage. nssm-2.24 privilege escalation

An authenticated, low-privileged user can achieve full SYSTEM privileges on the affected host. This compromises integrity, confidentiality, and availability.

: Use tools like icacls to verify that the "Users" group does not have "Full Control" over service binaries.

: If an application uses NSSM to run a service but fails to enclose the path to in quotation marks (e.g., C:\Program Files\App\nssm.exe ), a local attacker can place a malicious file (like C:\Program.exe ) to gain elevated SYSTEM privileges upon a reboot. Insecure Executable Permissions : If the folder containing

: The attacker enumerates installed services and identifies any running with NSSM, particularly those executing under high-privilege accounts (LocalSystem). sc config MyNSSMService binPath= "cmd

: An attacker gains low-level interactive access to the target system (e.g., through a compromised user account, phishing, or remote access trojan).

: Ensure the directory containing nssm.exe is only writable by Administrators or the TrustedInstaller .

The most common privilege escalation involving NSSM 2.24 stems from "Unquoted Service Paths".

sc config MyNSSMService binPath= "C:\Program Files\SecureApp\app.exe" obj="NT AUTHORITY\LocalService" : Use tools like icacls to verify that

Typical exploitation scenarios

If the Users or Everyone security group is granted or Full Control (F) access to the directory containing nssm.exe , or to the binary itself, the system becomes completely vulnerable. The Attack Vector Breakdown (CVSS:3.1 / 7.8 High)

The attacker places a malicious executable (e.g., a reverse shell) at C:\Program.exe .

Summary

If you’re a security researcher testing NSSM 2.24 in a lab, review: