Skip navigation

Nssm224 Privilege Escalation Updated _hot_ Instant

If the directory containing the target application executable managed by NSSM has weak permissions, an attacker can simply replace the legitimate binary with a malicious one (e.g., a reverse shell or a payload that creates a new administrator user). When the service restarts, NSSM executes the malicious payload with SYSTEM privileges. 2. Registry Modification (Weak Key Permissions)

| Weakness | Fix | |----------|-----| | Weak registry ACL | Set Parameters key to only SYSTEM + Administrators modify | | Weak service DACL | Restrict SERVICE_CHANGE_CONFIG to admins | | Unquoted path | Quote full binary path in NSSM install | | AppParameters injection | Validate/sanitize, or avoid user-writable parameters |

wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Use code with caution.

When the service restarts (often upon system reboot), Windows executes C:\Program Files\App.exe with SYSTEM privileges before it runs the legitimate nssm.exe . Updated NSSM 2.24 Privilege Escalation Scenarios (2026) nssm224 privilege escalation updated

While NSSM 2.24 itself is an older version, it is frequently used by legitimate software and malicious actors alike to maintain persistence on Windows systems. Securelist Vulnerability Overview NSSM 2.24. Vulnerability Type: Local Privilege Escalation (LPE).

Deploy robust application control frameworks like Windows AppLocker or Windows Defender Application Control (WDAC). Configure policies to block unapproved binaries from running outside specified, protected system directories. Conduct Regular Audits

End of Brief.

Finally, the attacker attempts to restart the service to execute the payload: sc stop TargetService sc start TargetService Use code with caution.

If the command returns any IdentityReference entries besides SYSTEM or Administrators with write permissions, the binary is vulnerable.

When Windows attempts to start a service, it parses the binary path in the registry. If a path contains spaces and lacks quotes, Windows interprets the spaces as command-line arguments rather than part of the path. Registry Modification (Weak Key Permissions) | Weakness |

If the output reveals BUILTIN\Users:(M) or NT AUTHORITY\Authenticated Users:(I)(F) , the file structure is vulnerable to overwriting.

The German CERT@VDE advisory identified that Phoenix Contact’s DaUM product, used for industrial device management, suffers from exactly this misconfiguration. The product installer sets insecure permissions on nssm.exe , allowing a low‑privileged local user to execute arbitrary code with administrative privileges. All versions of DaUM prior to 2025.3.1 are affected, with the fix requiring an update to the latest release.