Before dissecting the vulnerabilities, it is essential to understand what NSSM is and why version 2.24 is so pervasive. NSSM, short for Non-Sucking Service Manager, is a service helper program. It solves a persistent problem in Windows: many simple applications and scripts are not designed to run as system services. NSSM bridges that gap by acting as a wrapper. It starts any application or command line script as a Windows service, automatically restarts it if it fails, and provides service-specific environment variables and logging capabilities. Unlike Microsoft’s own srvany.exe , NSSM is more robust, easier to configure, and remains actively maintained.
: An attacker can place a malicious program.exe in C:\ or nssm.exe in C:\Program Files\ . When the service restarts, Windows may execute the attacker's file instead of the intended one, granting SYSTEM privileges . Exploitation in the Wild
: Due to its known behavior and role in historical vulnerabilities (like the Odoo or CouchDB exploits), it is a favorite for Capture The Flag (CTF) challenges and penetration testing certifications.
Implementing a robust Endpoint Detection and Response (EDR) solution can block the execution of untrusted binaries from replacing nssm.exe . nssm-2.24 privilege escalation
Or simpler: try to change the binary path.
Ensure that the directory containing nssm.exe and the application binaries it manages are only writable by Administrators ( System or Administrators group). Low-privileged users should have only Read & Execute permissions.
Use tools to detect when nssm.exe or the binary it launches is modified or replaced. Before dissecting the vulnerabilities, it is essential to
Assume an attacker has gained initial access to a Windows 10 or Windows Server 2016 machine as a (e.g., via a phishing email or a vulnerable web app).
This article provides a comprehensive technical analysis of how privilege escalation occurs via NSSM 2.24, the underlying mechanisms of the exploit, and actionable mitigation strategies to secure your environment. The Core Concept: Windows Service Privilege Escalation
: If a low-privileged user has write access to the root directory (e.g., C:\ ), they can place a malicious binary named Program.exe there. When the service restarts, Windows executes the malicious file with the elevated privileges of the service (often LocalSystem ). 2. Insecure Permissions on NSSM.exe Pelco VideoXpert 1.12.105 - Local Privilege Escalation NSSM bridges that gap by acting as a wrapper
wmic service get name,displayname,pathname,startmode | findstr /i "nssm" Use code with caution. Output example:
If the BINARY_PATH_NAME points to an NSSM executable (e.g., C:\nssm-2.24\win32\nssm.exe ), the service is a candidate.