Nssm224 Privilege Escalation Updated Jun 2026

: Where applicable, migrate legacy command-line applications to containerized environments or modern Windows Task Scheduler tasks running under managed service accounts (gMSAs) to minimize the attack surface. To help secure your specific environment, let me know:

For years, system administrators have relied on NSSM (Non-Sucking Service Manager) to run unstable or legacy batch scripts as robust Windows services. Its ability to monitor process health, restart crashed executables, and handle graceful shutdowns made it indispensable.

Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-41E9-8E09-387D72F48587 -AttackSurfaceReductionRules_Actions Enabled

Weak permissions on the service itself, allowing low-privileged users to modify configuration parameters via the SCM. 2. Technical Mechanics of the Escalation

You can use icacls to reset directory permissions effectively: nssm224 privilege escalation updated

Mastering NSSM 2.24 Privilege Escalation: Concepts, Exploitation, and Remediation

, an attacker with sufficient local rights can redirect a service to execute their own scripts or payloads instead of the intended application. Interactive Shell Creation: A common technique involves setting a service type to SERVICE_INTERACTIVE_PROCESS nssm set Type SERVICE_INTERACTIVE_PROCESS . If the service runs as LocalSystem

, it can potentially allow an attacker to interact with a system-level desktop. Vulnerability Chaining: Advanced attackers, such as the Akira Ransomware group

The primary risk is not a "bug" in the NSSM code itself, but rather insecure file permissions ) that allow low-privileged users to replace the the application binary

The paper you mentioned likely provides more details on the vulnerability, including:

If the directory containing the target executable (or the NSSM.exe binary itself) has weak Access Control Lists (ACLs), a low-privileged user can modify or replace the binary.

: High-privilege services spawning unexpected child processes like cmd.exe or powershell.exe .

NSSM-224 Status: Privilege Escalation Updated Severity: Critical (9.8) : Where applicable

Administrators often leave weak permissions on the NSSM binary, the application binary, or the registry keys associated with the service.

NSSM 2.24 is a service wrapper that acts as a wrapper for scripts or executables that aren't designed to run as Windows Services. The core functionality—running under the LocalSystem account—is also its primary security risk.

You can directly edit the Windows Registry to add quotation marks around the path.

This vector is known as . Once exploited, a local user with minimal rights can effectively take full control of the host machine.