icacls "C:\Path\To\nssm.exe" /remove "Authenticated Users" /t icacls "C:\Path\To\nssm.exe" /remove "Users" /t
user wants a long article on "nssm-2.24 privilege escalation". This likely refers to a vulnerability in NSSM (Non-Sucking Service Manager) version 2.24. I need to provide a comprehensive article covering details about NSSM, the privilege escalation vulnerability, its impact, exploitation, and mitigation. To gather this information, I will perform multiple searches to cover different aspects of the topic. search results have revealed multiple CVEs related to privilege escalation involving NSSM. The most relevant is CVE-2025-41686, which directly concerns NSSM. Additionally, CVE-2024-51448 and CVE-2016-20033 are also pertinent. I need to gather more details on these vulnerabilities. I will open the relevant pages to extract more information. search results have provided information on CVE-2025-41686 and other related vulnerabilities. I will also explore the official NSSM website and GitHub repository for additional details. The article will cover an introduction to NSSM, the discovered vulnerabilities (CVE-2025-41686, CVE-2024-51448, CVE-2016-20033), technical deep dive, exploitation scenarios, impact, mitigation strategies, and conclusions. article will be structured as follows: Introduction, What is NSSM?, The Vulnerability Landscape (CVE-2025-41686, CVE-2024-51448, CVE-2016-20033), Technical Deep Dive, Exploitation in the Wild, Impact and Risk Assessment, Mitigation and Remediation, Conclusion. I will cite the sources appropriately. "nssm-2.24 privilege escalation" vulnerability refers to a class of security flaws impacting the Non-Sucking Service Manager (NSSM), a popular Windows tool for running any application as a service. Specifically, it highlights how improper file permissions on the nssm.exe executable can allow a low-privileged local user to gain administrative access. This article provides a comprehensive analysis of the vulnerability, its technical underpinnings, associated CVEs, real-world exploitation scenarios, and essential mitigation steps.
DLL search-order or dependency hijack
If the Access Control Lists (ACLs) on these folders are misconfigured, low-privileged users (like members of the Authenticated Users or Users group) may possess write or modify permissions.
Avoid running services under the LocalSystem account whenever possible. Configure services to run under dedicated low-privilege service accounts with only the minimum permissions necessary for the application to function. nssm-2.24 privilege escalation
sc config MyNSSMService binPath= "C:\Program Files\SecureApp\app.exe" obj="NT AUTHORITY\LocalService"
The attacker renames the original nssm.exe (if permissions allow) or overwrites it with their malicious version. Step 4: Triggering Execution icacls "C:\Path\To\nssm
The most common structural flaw involves Discretionary Access Control Lists (DACLs). When vendors embed NSSM 2.24 to orchestrate background processes, the installer may write the nssm.exe binary into a application subdirectory without explicitly hardening its access rights.
While unquoted paths are a generic Windows issue, many older installation scripts, wrappers, and tutorials used NSSM 2.24 without enforcing proper quoting. The prevalence of this version in legacy systems, and its frequent usage in automating service creation, made it a common vector in penetration tests and real-world attacks. Mitigation and Defense Strategies To gather this information, I will perform multiple
Attackers frequently target NSSM for several strategic reasons: