Nssm-2.24 Privilege Escalation |work| -

Non-Sucking Service Manager (NSSM) version 2.24 does not have a unique, built-in "exploit" or CVE inherent to its code. Instead, privilege escalation involving NSSM almost always stems from insecure deployment configurations

Step 1 – Identify NSSM services

• Service configured to run a binary located in a directory writable by a low-privilege user (e.g., C:\ProgramData... or user-writable folder). Replace executable with malicious payload; restart service → executes as SYSTEM.

NSSM (Non-Sucking Service Manager) version 2.24 is susceptible to a privilege escalation vulnerability specifically related to its service configuration and the lack of quote marks in service binary paths. nssm-2.24 privilege escalation

sc config <service_name> binPath= "C:\temp\malware.exe"

Permissions Misconfiguration (CVE-2025-41686): A more recent vulnerability identified in products like Phoenix Contact Device and Update Management involves misconfigured permissions on nssm.exe specifically, allowing low-privileged local attackers to gain administrative access. Vulnerability Summary Table CVE-2016-8742 Detail - NVD Non-Sucking Service Manager (NSSM) version 2

• Example ImagePath: C:\Program Files\Vendor\nssm.exe -k service
• If unquoted, Windows may attempt to execute: C:\Program.exe, then C:\Program Files\Vendor\nssm.exe, etc.

NSSM 2.24 is frequently cited in security advisories because third-party installers (like CouchDB or Wowza Streaming Engine) often deploy it with weak directory permissions. Because NSSM typically runs with SYSTEM privileges, any user who can replace the nssm.exe file can effectively take over the entire machine. Service configured to run a binary located in