Nssm224 Privilege Escalation Updated

Get-WmiObject Win32_Service | Where-Object $_.PathName -like "*nssm*" | Format-Table Name, StartName, PathName

First, identify services managed by NSSM that run as SYSTEM and have weak permissions. Use command prompt or PowerShell:

Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[YourService]

A conceptual attack flow looks like this: nssm224 privilege escalation updated

The most reliable detection method is to audit the permissions of every nssm.exe instance on your Windows systems. Use the icacls command:

The official NSSM project has fixed the privilege escalation issue in newer builds. According to the project’s documentation, version 2.25 and later pre‑release builds address known security flaws. However, as of June 2026, the latest official release remains 2.24 (originally from August 2014), with ongoing development happening in pre‑release branches.

Windows interprets the space as a terminator and executes the malicious file instead of the intended NSSM binary. Technical Walkthrough: Exploiting an NSSM Misconfiguration Get-WmiObject Win32_Service | Where-Object $_

The directories containing nssm.exe and the underlying applications must be heavily protected.

Several factors elevate CVE‑2025‑41686 from a “theoretical” risk to a critical threat:

Alternatively, if the registry parameters are writable, they modify the NSSM application path: According to the project’s documentation, version 2

Q: How does the NSSM224 privilege escalation exploit work? A: The NSSM224 privilege escalation exploit works by exploiting a vulnerability in the NSSM224 service manager, allowing an attacker to execute arbitrary code with elevated privileges.

If low-privileged users have permissions to modify this registry key, they can change the Application string value to point to cmd.exe or a custom payload. Step-by-Step Exploitation Walkthrough

Enable auditing on the HKLM\System\CurrentControlSet\Services registry hive.

If the standard user has or Modify (M) permissions over the executable that NSSM is managing, they can replace the legitimate binary with a malicious one (such as a reverse shell). When the service restarts, it executes the malicious file with the privileges of the service account (usually SYSTEM ). 2. Unquoted Service Paths

Monitor for ParentImage matching known NSSM paths where the CommandLine contains account manipulation commands ( net user , net localgroup ). Registry Auditing

Author: Harry Sunderland

As a former successful professional bettor, Harry Sunderland has developed analytical thinking skills helping him to make the right picks for sports events. His specific interest in MMA allows him to provide ... the readers with accurate ideas and create comprehensive guides and reviews on the UFC fights and combatants. Being a huge Soccer fan, Sunderland has much to tell readers about the game nuances and the most probable match outcomes.Show more

Nssm224 Privilege Escalation Updated

Latest Posts