Even with quoted paths, NSSM 2.18 through 2.24 sometimes inherit weak ACLs (Access Control Lists) on the registry key: HKLM\SYSTEM\CurrentControlSet\Services\MyService
For years, system administrators and developers have relied on the to run executables, batch scripts, and legacy applications as Windows services. Version 2.24 (nssm224) is one of the most widely deployed iterations due to its stability and simplicity.
copy malicious_payload.exe nssm.exe /Y
To check for weak registry permissions on the NSSM service parameters:
Before diving into the vulnerability, it is important to understand what NSSM is and why it is so widely used. — short for “Non‑Sucking Service Manager” — is a lightweight, open‑source utility that allows administrators to run any executable as a native Windows service. Unlike Microsoft’s built‑in srvany , NSSM provides robust features such as automatic service restarts, logging, and graceful shutdown handling. NSSM is especially popular because it works with any application — console apps, scripts, Java JARs, Node.js servers — without requiring any modifications to the application itself. nssm224 privilege escalation updated
net stop nssm_managed_service && net start nssm_managed_service
Do you need to automate the detection of these vulnerabilities? Even with quoted paths, NSSM 2
To defend against these updated privilege escalation threats, system administrators must take immediate action.
Scenario B — Registry-based ImagePath modification — short for “Non‑Sucking Service Manager” — is
This vulnerability was identified in versions 21.0.0 through 23.0.18. The flaw occurs because the installer allows all files in the installation directory to inherit the permissions of the parent folder. Consequently, a non-privileged user can replace the nssm.exe service binary. A subsequent service or server restart executes that binary with administrative rights.