Nssm-2.24 Privilege Escalation Work ⭐

Ensure you are using the latest version of the utility, though the underlying issue is often a configuration error.

: Move to NSSM 2.25 pre-release or a newer version to fix known handle leaks and Windows 10 bugs.

accesschk.exe -accepteula -uvwqk "HKLM\SYSTEM\CurrentControlSet\Services\MyNSSMService"

This article explores the technical details of the NSSM 2.24 privilege escalation, how it is exploited, and, more importantly, how to secure systems against it. What is the NSSM 2.24 Privilege Escalation? nssm-2.24 privilege escalation

The attacker creates a malicious executable (e.g., a reverse shell) and drops it in C:\Program Files\Application.exe .

The Non-Sucking Service Manager (NSSM) version 2.24 is susceptible to a Local Privilege Escalation (LPE) vulnerability. NSSM is a utility used to wrap arbitrary applications as Windows Services. Due to insufficient sanitization of the application path and arguments when installed as a service, a local attacker can manipulate the service binary path to execute arbitrary code with SYSTEM privileges.

Later versions of NSSM (2.24.1, 2.25, and above) introduced critical safeguards: Ensure you are using the latest version of

The nssm-2.24 privilege escalation vulnerability is a serious risk on older Windows systems. By failing to secure the service executable or path, it provides a straightforward avenue for attackers to move from a standard user to a system administrator. Upgrading to the latest version and ensuring strict file permissions on service executables is essential to securing the environment.

: Used nssm-2.24 to create malicious services (like sysmon ) to launch tunneling tools like Ngrok.

sc query state= all | findstr /i "SERVICE_NAME" sc qc MyNSSMService | findstr /i "BINARY_PATH_NAME" What is the NSSM 2

The attacker runs:

When a Windows service is created, its executable path should be surrounded by quotation marks if it contains spaces. Without quotes, Windows parses the path ambiguously.