NSSM (Non-Sucking Service Manager) version 2.24 is susceptible to a privilege escalation vulnerability specifically related to its service configuration and the lack of quote marks in service binary paths.
The bottom line: If you see nssm-2.24.exe, assume an attacker can become SYSTEM within minutes. Upgrade immediately, or remove it entirely in favor of native Windows tools like sc.exe or PowerShell’s New-Service.
The issue is not a memory corruption bug but a logic/permission flaw: nssm-2.24 privilege escalation
Once elevated on one machine, the attacker harvests domain admin tickets or service account passwords, moving across the network.
A simple PoC to demonstrate the flaw (assuming you have nssm 2.24.exe in the current directory and a standard user account): NSSM (Non-Sucking Service Manager) version 2
If an attacker has write access to a directory involved in the service execution chain (e.g., a directory with weak permissions where the service binary resides or a path containing spaces without quotes), they can plant a malicious executable. When the service is started or restarted, the operating system or NSSM will execute the malicious file with SYSTEM privileges.
, have been observed using NSSM to create malicious services (e.g., "sysmon") that launch tunneling tools or establish persistence with elevated rights. Investigative & Security Steps To identify or prevent these issues, administrators should: Phoenix Contact A simple PoC to demonstrate the flaw (assuming
Software: Non-Sucking Service Manager (NSSM) Affected Versions: NSSM 2.24 (and likely prior versions) Severity: High Vector: Local Impact: Privilege Escalation (Local System)
