Deep Dive: NSSM224 Privilege Escalation (Updated) The Non-Sucking Service Manager (NSSM) is a popular utility used by system administrators to run ordinary applications as Windows services. While highly efficient, misconfigurations in how services are deployed using NSSM can introduce critical security vulnerabilities. Specifically, refers to exploitation vectors involving NSSM version 2.24 (and similar releases) where weak file permissions or registry access control lists (ACLs) allow low-privileged users to elevate their access to NT AUTHORITY\SYSTEM .
Inside this key, NSSM creates a subkey named Parameters containing values like Application , AppDirectory , and AppParameters . If the permissions on these registry keys allow standard users to write or modify values, the system is compromised.
What are your target servers running?
The attacker modifies the registry path to point to a malicious payload, such as a reverse shell executable or a script that adds a new administrator account.
: These changes must be reapplied after any software update or reinstallation that replaces the NSSM binary. nssm224 privilege escalation updated
If an administrator installs a service using nssm.exe and leaves the binary in a location writable by users (e.g., C:\ProgramData or C:\Users\Public ), an attacker can: the legitimate nssm.exe . Replace it with a malicious executable renamed to nssm.exe .
Related search suggestions (You may ignore these or use them to run further research.) Inside this key, NSSM creates a subkey named
Privilege escalation via NSSM typically involves "Improper Permissions" (CWE-306 or CWE-639). Because Windows services often run with or Administrative privileges, the binaries associated with them are highly sensitive. If an installer places nssm.exe in a directory where a standard, low-privileged user has "Write" or "Modify" permissions, that user can replace the legitimate binary with a malicious one.