Nssm-2.24 Privilege Escalation Jun 2026

Modern service managers include safeguards against arbitrary binary replacement and insecure service configuration modification. NSSM 2.24, however, was designed for convenience—not security. Its core features that enable privilege escalation include:

The most common structural flaw involves Discretionary Access Control Lists (DACLs). When vendors embed NSSM 2.24 to orchestrate background processes, the installer may write the nssm.exe binary into a application subdirectory without explicitly hardening its access rights.

If the Access Control Lists (ACLs) on these folders are misconfigured, low-privileged users (like members of the Authenticated Users or Users group) may possess write or modify permissions.

This exact scenario has been identified in multiple enterprise tools that bundle NSSM. IBM documented this issue in their Robotic Process Automation (RPA) software (APAR JR64937), where the IBMRPALicenseMetricService had an unquoted path containing spaces. IBM acknowledged that this allowed local privilege escalation and released a fix to add quotes around the service path. Odoo 12.0 and ExpressVPN similarly had documented unquoted service path vulnerabilities involving nssm.exe . nssm-2.24 privilege escalation

NSSM (Non-Sucking Service Manager) version 2.24 (and possibly prior versions)

: It monitors the target application, automatically restarts it if it crashes, and logs output to the system Event Log.

sc config "ServiceName" binPath= "\"C:\Program Files\NSSM\nssm.exe\" install..." Use code with caution. 2. Upgrade NSSM When vendors embed NSSM 2

$ cd C:\ProgramData\SomeApp\bin

The recurring pattern of privilege escalation via NSSM-2.24 highlights a systemic issue: the assumption that "simple tools" are not threats. NSSM is a utility designed for convenience, and in many ways, that convenience has inadvertently created an easement for attackers. For security architects and IT administrators, the following strategic steps are imperative:

The risk is too high for any environment with multiple users or exposure to untrusted code. The convenience of NSSM does not outweigh the privilege escalation threat. Even if you "trust" your users, malware running as a user can rapidly abuse NSSM to gain SYSTEM. IBM documented this issue in their Robotic Process

: If a low-privileged user has write access to the root directory (e.g., C:\ ), they can place a malicious binary named Program.exe there. When the service restarts, Windows executes the malicious file with the elevated privileges of the service (often LocalSystem ). 2. Insecure Permissions on NSSM.exe Pelco VideoXpert 1.12.105 - Local Privilege Escalation

CVE-2025-41686 Severity: High (CVSS: 7.8) Attack Vector: Local (AV:L) Privileges Required: Low (PR:L) Impact: System Compromise, Administrative Access