: CouchDB 2.0.0 had weak file permissions that allowed non-privileged users to replace the nssm.exe binary itself with a malicious one, which would then run as an administrator upon service restart.
The vulnerability is often associated with improper input validation and handling within NSSM. Attackers can craft malicious input to exploit this weakness, potentially leading to:
The NSSM-2.24 exploit refers to a critical vulnerability discovered in the Non-Sucking Service Manager (NSSM) version 2.24. NSSM is a popular, open-source service manager for Windows that allows users to manage and monitor services on their systems. While NSSM is widely used for its reliability and flexibility, the 2.24 version has been found to contain a significant security flaw that could be exploited by malicious actors.
: Groups like Akira and Head Mare have been observed using NSSM to make their traffic tunneling tools (like Localtonet) persistent on victim machines. Historical Security Concerns Unquoted Service Paths
The Non-Sucking Service Manager remains a valuable tool for legitimate system administration. Its security problems are solvable—but only when defenders and vendors acknowledge that, in the wrong hands, even helpful tools can be exploited. Understanding the threats documented in this article is the first step toward that acknowledgment.
Windows Security Event ID 4697 (Service Installation) should be monitored for services created with binary paths pointing to nssm.exe instances. Cross-reference these installations with authorized change management records to identify potentially malicious service creation.
Look for (A;;RPWPCCDCLCSWRCWDWOGA;;;AU) – that grants Authenticated Users change config rights. Remove with:
monitor for unauthorized NSSM installations to detect "living-off-the-land" attacks.
: Because NSSM is designed to keep services running no matter what, threat actors often use it to ensure their backdoors or coinminers (like XMRig) stay active on compromised systems. Notable "Bugs" vs. Exploits
© 2026 All Rights Reserved. Powered by CM Technology Group LLC