Nssm-2.24 Privilege Escalation <Bonus Inside>

If NSSM 2.24 is installed to manage a service, and the executable path contains spaces but is not surrounded by quotes, a local attacker can exploit this.

If the Users or Everyone security group is granted or Full Control (F) access to the directory containing nssm.exe , or to the binary itself, the system becomes completely vulnerable. The Attack Vector Breakdown (CVSS:3.1 / 7.8 High)

The most critical vulnerability is formally identified as CVE-2025-41686. Published on August 12, 2025, this flaw has been assigned a CVSS v3.1 base score of . nssm-2.24 privilege escalation

An attacker with low-privileged access (e.g., a standard user on a compromised workstation or via a reverse shell) first enumerates all services:

If a service named LegacyApp exists and is managed by NSSM 2.24, the attacker can simply modify its parameters without needing admin rights (due to the broken ACL or design flaw in that version): If NSSM 2

– Migrate to Microsoft’s native sc.exe or New-Service PowerShell cmdlet, or use WinSW (Windows Service Wrapper) which supports better security configuration.

sc config MyNSSMService binPath= "C:\Program Files\SecureApp\app.exe" obj="NT AUTHORITY\LocalService" Published on August 12, 2025, this flaw has

| Metric | Value | |--------|-------| | Attack Vector | Local (AV:L) | | Attack Complexity | Low (AC:L) | | Privileges Required | Low (PR:L) | | User Interaction | None (UI:N) | | Confidentiality Impact | High (C:H) | | Integrity Impact | High (I:H) | | Availability Impact | High (A:H) |

: None (Can be done entirely quietly in the background). 💻 Step-by-Step Exploitation Mechanics

If NSSM 2.24 is installed to manage a service, and the executable path contains spaces but is not surrounded by quotes, a local attacker can exploit this.

If the Users or Everyone security group is granted or Full Control (F) access to the directory containing nssm.exe , or to the binary itself, the system becomes completely vulnerable. The Attack Vector Breakdown (CVSS:3.1 / 7.8 High)

The most critical vulnerability is formally identified as CVE-2025-41686. Published on August 12, 2025, this flaw has been assigned a CVSS v3.1 base score of .

An attacker with low-privileged access (e.g., a standard user on a compromised workstation or via a reverse shell) first enumerates all services:

If a service named LegacyApp exists and is managed by NSSM 2.24, the attacker can simply modify its parameters without needing admin rights (due to the broken ACL or design flaw in that version):

– Migrate to Microsoft’s native sc.exe or New-Service PowerShell cmdlet, or use WinSW (Windows Service Wrapper) which supports better security configuration.

sc config MyNSSMService binPath= "C:\Program Files\SecureApp\app.exe" obj="NT AUTHORITY\LocalService"

| Metric | Value | |--------|-------| | Attack Vector | Local (AV:L) | | Attack Complexity | Low (AC:L) | | Privileges Required | Low (PR:L) | | User Interaction | None (UI:N) | | Confidentiality Impact | High (C:H) | | Integrity Impact | High (I:H) | | Availability Impact | High (A:H) |

: None (Can be done entirely quietly in the background). 💻 Step-by-Step Exploitation Mechanics

JAINA is an umbrella organization of 70 Jain Centers, in North America, with a mission to preserve, practice, and promote Jain Dharma and Jain Way of Life.
Please reach us at .

Quick link
Donate now
Follow Us

© JAINA.org ALL RIGHTS RESERVED.