Nssm-2.24 Privilege Escalation ^new^

C:\ProgramData\... or C:\Program Files\... with weak permissions Full system takeover (Vertical Privilege Escalation) Detection EDR alerts for nssm.exe in unusual paths like \Windows\tmp\ Prevention & Mitigation

CVE-2024-51448 Severity: Medium (CVSS: 6.7) Attack Vector: Local (AV:L) Privileges Required: High (PR:H)

: NSSM stores its service parameters in the Registry. If the permissions on these Registry keys are too loose, a user can modify the AppParameters or Application string to execute a different command when the service starts.

When a Windows service is created, its executable path should be surrounded by quotation marks if it contains spaces. Without quotes, Windows parses the path ambiguously.

To understand the privilege escalation vector, it is essential to look at how NSSM bridges the gap between interactive applications and the Windows Service Control Manager (SCM). nssm-2.24 privilege escalation

Avoid running NSSM services as NT AUTHORITY\SYSTEM unless absolutely necessary. Instead, create a dedicated Managed Service Account (MSA) or a standard local user account with the bare minimum privileges required to run the application. 4. Keep Software Updated

An attacker gains initial access to a Windows machine as a low-privileged user. They enumerate running services to find those managed by NSSM.

These metrics indicate that any local user with minimal privileges can exploit this vulnerability without any user interaction, potentially compromising the entire system.

This vulnerability affects versions 21.0.0 through 23.0.18. The flaw allows any authenticated local user to substitute any executable for the nssm.exe service because all files in the install directory inherit overly permissive NTFS permissions. A subsequent service or server restart then runs the substituted binary with Administrator privileges . C:\ProgramData\

Avoid running services under the LocalSystem account whenever possible. Configure services to run under dedicated low-privilege service accounts with only the minimum permissions necessary for the application to function.

Beyond the binary permissions, NSSM is frequently deployed in a way that creates the infamous "Unquoted Service Path" vulnerability. This is not a bug in NSSM’s code but a standard Windows Service Control Manager (SCM) behavior that NSSM configurations frequently trigger.

A conceptual exploitation flow proceeds as follows:

Run the following command to correct permissions on your service folder: If the permissions on these Registry keys are

The following products and versions have been identified as vulnerable to NSSM-related privilege escalation vulnerabilities:

The is a popular, lightweight tool used to turn Windows applications, scripts, and batches into managed services. By managing the service lifecycle, it ensures applications restart automatically if they crash. However, older versions, specifically NSSM 2.24 , have been associated with a critical vulnerability— Local Privilege Escalation (LPE) —that can allow a low-privileged user to gain NT AUTHORITY\SYSTEM rights.

Before dissecting the vulnerabilities, it is essential to understand what NSSM is and why version 2.24 is so pervasive. NSSM, short for Non-Sucking Service Manager, is a service helper program. It solves a persistent problem in Windows: many simple applications and scripts are not designed to run as system services. NSSM bridges that gap by acting as a wrapper. It starts any application or command line script as a Windows service, automatically restarts it if it fails, and provides service-specific environment variables and logging capabilities. Unlike Microsoft’s own srvany.exe , NSSM is more robust, easier to configure, and remains actively maintained.