Skip to main content

Nssm-2.24 Privilege: Escalation

Understanding and Mitigating NSSM 2.24 Privilege Escalation Vulnerabilities

When NSSM 2.24 is present, it is usually targeted via three common Windows service misconfigurations: Head Mare and Twelve: Joint attacks on Russian entities

is a widely utilized open-source utility that allows administrators to wrap ordinary Windows command-line applications or scripts into background Windows services. Because Windows services managed by NSSM frequently execute with elevated rights—such as LOCALSYSTEM or administrative privileges—the interaction between NSSM and the host operating system creates a prime target for attackers looking to escalate privileges.

Proactive monitoring can catch misconfigurations before they are exploited. nssm-2.24 privilege escalation

: By replacing the NSSM binary, attackers can establish persistent backdoors that survive system reboots and service restarts.

Ensure all service paths are properly quoted. Example: "C:\Program Files\My App\nssm.exe"

The is a popular tool for running any application as a Windows service. While the tool itself is not inherently malicious, it is frequently exploited for Local Privilege Escalation (LPE) due to misconfigurations or unquoted service paths. Core Vulnerability: Unquoted Service Paths Understanding and Mitigating NSSM 2

: Services managed by NSSM often run as LocalSystem, providing immediate administrative access upon successful exploitation.

When Windows starts a service, it parses the path to the executable. If the path contains a space (e.g., C:\Program Files\App\nssm.exe ) and is not enclosed in quotation marks , the SCM follows a specific order to resolve the path. It looks for C:\Program.exe , then C:\Program Files\App\nssm.exe .

:

| Vulnerability Identifier | CVSS Score | Attack Vector | Root Cause | |---|---|---|---| | | 7.8 (High) | Local, Low Privilege | Improper file permissions on nssm.exe allow binary replacement | | CVE-2024-51448 | 7.8 (High) | Local, Low Privilege | Inherited weak directory permissions in IBM RPA | | CVE-2016-20033 | 7.8 (High) | Local, Authenticated | Full access granted to Everyone group for nssm_x64.exe in Wowza Streaming Engine | | Unquoted Service Path | N/A (Systemic) | Local, Low Privilege | Service binary path with spaces lacks quotation marks |

The attacker runs:

This is the most common vulnerability associated with NSSM-2.24 deployments. : By replacing the NSSM binary, attackers can

Once elevated on one machine, the attacker harvests domain admin tickets or service account passwords, moving across the network.