Organizations should treat this vulnerability with urgency. Any system running a service managed by NSSM 2.24 should be audited for weak file permissions. Where possible, upgrade to the 2.25 pre‑release builds or apply manual permission hardening. And for security teams designing their own software deployments, this vulnerability serves as a cautionary tale: . Always verify and, if necessary, restrict permissions explicitly as part of your deployment automation.
A proof-of-concept (PoC) exploit for the nssm 224 privilege escalation vulnerability is publicly available. The following example demonstrates how to create a malicious service configuration file:
Notes on prerequisites:
This vulnerability was identified in versions 21.0.0 through 23.0.18. The flaw occurs because the installer allows all files in the installation directory to inherit the permissions of the parent folder. Consequently, a non-privileged user can replace the nssm.exe service binary. A subsequent service or server restart executes that binary with administrative rights.
You should assume that an attacker could have already replaced the binary. nssm224 privilege escalation updated
Security Operations Center (SOC) teams should monitor their environments for the following anomalous behaviors:
Check service ImagePath and account:
In versions prior to 2.24.1 and some legacy 2.24 builds, NSSM allowed a low-privileged user (with SERVICE_CHANGE_CONFIG rights on a service they control) to launch an arbitrary executable as SYSTEM . The attack flow looked like this:
Monitor Windows Security Event ID 7045 (A new service was created) and Event ID 7040 (The start type of a service was changed). Organizations should treat this vulnerability with urgency
: A classic method involving replacing sethc.exe with cmd.exe , allowing administrative command prompt access from the login screen. Vulnerabilities and Impacts (Updated for 2024-2026)
While NSSM 2.24 itself is an older version, it is frequently used by legitimate software and malicious actors alike to maintain persistence on Windows systems. Securelist Vulnerability Overview NSSM 2.24. Vulnerability Type: Local Privilege Escalation (LPE). And for security teams designing their own software