Privilege escalation typically occurs not because of a bug in NSSM, but because of misconfigurations in the services it creates. In many cases, these misconfigurations allow a low-privileged user to gain SYSTEM or Administrator access. 1. Unquoted Service Paths
But the real prize is . On many systems, authenticated users can enumerate and modify NSSM-managed services due to overly permissive service security descriptors.
A dangerous weakness exists in NSSM (Non-Sucking Service Manager) versions 2.24 and below. If an attacker has (standard user) access to a system where an NSSM service runs as SYSTEM , they can trivially escalate to NT AUTHORITY\SYSTEM by abusing the service’s binary path. nssm-2.24 privilege escalation
Mitigations and remediation
The official NSSM 2.24 bug list indicates that while 2.25 fixes many issues, 2.24 is susceptible to issues like failing to launch if AppNoConsole is not set properly, which can sometimes lead to behavior that can be exploited by an attacker for persistence or escalation. Mitigation Strategies Privilege escalation typically occurs not because of a
This exact scenario has been identified in multiple enterprise tools that bundle NSSM. IBM documented this issue in their Robotic Process Automation (RPA) software (APAR JR64937), where the IBMRPALicenseMetricService had an unquoted path containing spaces. IBM acknowledged that this allowed local privilege escalation and released a fix to add quotes around the service path. Odoo 12.0 and ExpressVPN similarly had documented unquoted service path vulnerabilities involving nssm.exe .
Securing your environment against NSSM-related privilege escalation requires enforcing the principle of least privilege and maintaining software hygiene. 1. Enforce Strict Access Control Lists (ACLs) Unquoted Service Paths But the real prize is
Proactive monitoring can catch misconfigurations before they are exploited.
has long been a staple for system administrators and developers on the Windows platform. Versions like 2.24 , released in the mid-2010s, are celebrated for their ability to turn any executable into a Windows service quickly. However, beneath its utilitarian veneer lies a dangerous attack vector: privilege escalation .