Nssm-2.24 Privilege Escalation May 2026

Using accesschk.exe from Sysinternals or PowerShell, the attacker checks if they have SERVICE_CHANGE_CONFIG or WRITE_DAC rights:

accesschk.exe -uwcqv "Authenticated Users" <service_name>
accesschk.exe -uwcqv "BUILTIN\Users" <service_name>

If the attacker has write access to the service configuration (often misconfigured in legacy systems), they can proceed.

sc config MyNSSMService binPath= "C:\Program Files\SecureApp\app.exe" obj="NT AUTHORITY\LocalService"

Stay secure. Never trust legacy wrappers with SYSTEM privileges.

Understanding NSSM-2.24 and Potential Privilege Escalation NSSM (the Non-Sucking Service Manager) version 2.24 is a widely used utility that allows administrators to wrap any executable or script into a Windows service. While NSSM itself is not inherently "vulnerable" in its core code, the way it is deployed and configured—especially in version 2.24—frequently introduces Local Privilege Escalation (LPE) vulnerabilities in the host systems it manages. Common Attack Vectors Involving NSSM-2.24

Privilege escalation typically occurs not because of a bug in NSSM, but because of misconfigurations in the services it creates. In many cases, these misconfigurations allow a low-privileged user to gain SYSTEM or Administrator access. 1. Unquoted Service Paths

This is the most common vulnerability associated with NSSM-2.24 deployments.

The Issue: If a service's executable path contains spaces and is not enclosed in double quotes, Windows may misinterpret the path. For example, if the path is C:\Program Files\My Service\nssm.exe, Windows might try to execute C:\Program.exe first.

The Exploit: If a low-privileged user has write access to the root directory (e.g., C:\), they can place a malicious binary named Program.exe there. When the service restarts, Windows executes the malicious file with the elevated privileges of the service (often LocalSystem). 2. Insecure Permissions on NSSM.exe Pelco VideoXpert 1.12.105 - Local Privilege Escalation

Non-Sucking Service Manager (NSSM) version 2.24 itself does not have a documented, inherent code-based privilege escalation vulnerability. However, it is frequently cited in security reviews due to unquoted service path vulnerabilities and insecure permissions created by the applications that use it as a wrapper. www.tenable.com Key Security Concerns for NSSM 2.24 Unquoted Service Path

: If an application uses NSSM to run a service but fails to enclose the path to in quotation marks (e.g., C:\Program Files\App\nssm.exe ), a local attacker can place a malicious file (like C:\Program.exe ) to gain elevated SYSTEM privileges upon a reboot. Insecure Executable Permissions : If the folder containing nssm-2.24 privilege escalation

or the binary it wraps has "Full Control" or "Write" permissions for the "Users" group, an attacker can replace the binary with a malicious one. Abuse by Malware

: Because NSSM is a legitimate tool for managing services, threat actors often use it to establish persistence

for their own tools (e.g., tunneling software or ransomware) while appearing as a standard system service. medium.com Vulnerability Indicators Microsoft Windows Unquoted Service Path Enumeration

Non-Sucking Service Manager (NSSM) version 2.24 does not have a unique, built-in "exploit" or CVE inherent to its code. Instead, privilege escalation involving NSSM almost always stems from insecure deployment configurations

. Because NSSM is an executable used to wrap other applications as services, it is a high-value target for attackers who have already gained a foothold on a system. Primary Escalation Vectors

When NSSM 2.24 is present, it is usually targeted via three common Windows service misconfigurations: Head Mare and Twelve: Joint attacks on Russian entities

For NSSM 2.24, a critical feature to address privilege escalation vulnerabilities is a Permission Integrity Check & Lockdown module.

This feature focuses on mitigating the primary way attackers exploit NSSM: replacing the nssm.exe binary or its associated application executable due to insecure file permissions. Key Components of the "Secure Lockdown" Feature

Automated Permission Audit: Upon service installation or startup, NSSM should scan its own binary path and the target application path. It would flag if high-risk groups (e.g., "Everyone," "Users," or "Authenticated Users") have Write or Full Control permissions.

Mandatory Quoted Paths: The tool should automatically enforce quoted service paths in the Windows registry to prevent "Unquoted Service Path" exploits, where Windows might execute a malicious binary with a similar name in a parent folder. Using accesschk

Binary Hash Verification: A feature that allows administrators to register a SHA-256 hash of the legitimate application executable. NSSM would verify this hash before every launch; if the binary has been replaced (a common privilege escalation tactic), NSSM would refuse to start the service.

"Least Privilege" Mode: A toggle to ensure the service defaults to a virtual account or a low-privileged user instead of the "LocalSystem" account, which is the most frequent target for attackers looking for administrative control. Why this is needed

NSSM 2.24 is frequently cited in security advisories because third-party installers (like CouchDB or Wowza Streaming Engine) often deploy it with weak directory permissions. Because NSSM typically runs with SYSTEM privileges, any user who can replace the nssm.exe file can effectively take over the entire machine.

I can provide PowerShell scripts to manually audit your current NSSM services or help you harden the registry keys for an existing setup. Which would you prefer? CVE-2016-20033 Detail - NVD

In multi-tenant environments (VDI, Citrix, shared kiosks), a low-privilege user who finds NSSM 2.24 installed on the base image can escalate to SYSTEM and escape their session container.

Summary

Technical background (how unquoted service path LPE works)

  • If an attacker can place an executable at one of the checked prefixes that runs earlier than the intended binary, that binary will run with service privileges (often SYSTEM).
  • NSSM is commonly shipped/used as the service binary (nssm.exe). If a service uses an unquoted ImagePath that references nssm in a folder path with spaces, and a writable prefix exists, NSSM deployments become exploitable.

    • Evidence and observed occurrences

    Exploitation conditions (what an attacker needs)

    Typical exploitation steps (conceptual)

    Limitations and real-world constraints

    Proofs-of-concept and tooling

    Mitigations and remediation

    Vendor guidance and disclosure practices

    Practical detection (quick checks)

  • Check write permissions on candidate prefixes with Test-Path and attempt to create a benign file to prove writeability (in a safe, authorized test).

    • Responsible testing and legal/ethical notes

    References and further reading

    If you want, I can:

    In a locked-down environment, the user cannot start the service themselves. However, an attacker can simply wait for the server to reboot (or trigger a crash/reboot via another vector), at which point the service starts automatically.