Skip to content

Nssm224 Privilege Escalation | Updated ((better))

Ethical hackers and penetration testers usually follow a structured approach to identifying and exploiting NSSM service misconfigurations. Step 1: Enumerate Running Services

Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-41E9-8E09-387D72F48587 -AttackSurfaceReductionRules_Actions Enabled

Ensure that any directory containing binaries managed by NSSM restricts write permissions exclusively to Administrators and SYSTEM . Remove Modify or Write permissions for Authenticated Users , Everyone , and Users .

Deploy a sysmon config that alerts on:

A PoC exploit has been developed, which demonstrates the vulnerability. The PoC exploit:

This vulnerability was identified in versions 21.0.0 through 23.0.18. The flaw occurs because the installer allows all files in the installation directory to inherit the permissions of the parent folder. Consequently, a non-privileged user can replace the nssm.exe service binary. A subsequent service or server restart executes that binary with administrative rights.

Note: If the low-privileged user does not have permission to restart the service directly, they can wait for a system reboot or trigger an administrative action that forces a service restart. Updated Mitigations for Modern Environments nssm224 privilege escalation updated

When using nssm install [servicename] via command line, ensure the path provided in the GUI or CLI is explicitly quoted. Conclusion

These older vulnerabilities prove that the core issue — insecure file permissions on NSSM‑managed services — has persisted for nearly a decade, across multiple vendors and products. CVE‑2025‑41686 is simply the latest and most widespread instance of this class of vulnerability.

Alternatively, you can manually inspect common deployment paths like C:\Program Files\ , C:\nssm\ , or custom application directories. Step 2: Checking for Weak Registry Permissions Ethical hackers and penetration testers usually follow a

To check for weak service permissions manually via PowerShell: powershell

| CVE ID | Affected Software/Vendor | Impact | Remediation Status | | :--- | :--- | :--- | :--- | | | Phoenix Contact DaUM (<2025.3.1) | Low-privileged user -> Admin rights | Update to 2025.3.1 or later | | CVE-2024-51448 | IBM Robotic Process Automation (21.0.0-23.0.18) | Non-privileged user -> Admin via substitution | Vendor patch required | | CVE-2016-20033 | Wowza Streaming Engine 4.5.0 | Everyone group -> LocalSystem via hijacking | Restrict permissions |