Updated Portable: Nssm224 Privilege Escalation

If you have permission to restart the service, do so. If not, wait for a system reboot. sc stop sc start Use code with caution. Copied to clipboard

If a standard user can write to C:\nssm-2.24\ (or C:\Program Files\NSSM\ if the installer was run with lax permissions), they can replace nssm.exe with a malicious binary.

A closely related vulnerability, , was disclosed in IBM’s Robotic Process Automation (RPA) product. IBM RPA versions 21.0.0 through 21.0.7.17 and 23.0.0 through 23.0.18 allow a local user to escalate privileges because “all files in the install inherit the file permissions of the parent directory and therefore a non‑privileged user can substitute any executable for the nssm.exe service.” This highlights how the same underlying weakness can reappear in different software packages that embed NSSM.

While this is a hypothetical representation, it accurately conveys the logic: the attacker does not need to exploit a memory corruption bug or bypass complex mitigations – they simply that should never have existed in a secure deployment.

sc config nssm_managed_service binPath= "C:\temp\reverse_shell.exe" nssm224 privilege escalation updated

: Using standard Windows commands, the attacker searches for instances of nssm.exe installed with weak permissions:

– NSSM is bundled with dozens of third‑party applications. Even if an organization does not install NSSM directly, they may be vulnerable through other products that silently include it.

NSSM stores configuration in HKLM\SYSTEM\CurrentControlSet\Services\ \Parameters . If a low-privileged user can write to this registry key, they can change the AppDirectory to a directory they control and place a malicious run.bat there, causing the service to execute their script. 3. Remediating NSSM 2.24 Vulnerabilities

However, a recurring security topic has resurfaced in penetration testing reports and red team exercises: . If you have permission to restart the service, do so

Generate a reverse shell using msfvenom or a simple executable that adds a user to the administrators group.

– The vulnerable service (e.g., Apache CouchDB, IBM Robotic Process Automation, DaUM) either stops unexpectedly, is stopped by the attacker, or the system reboots. When the service attempts to start again, Windows launches the malicious file with the service’s elevated privileges – typically SYSTEM or Administrator rights.

Mechanism A: Weak File Permissions (Binary Planting / Overwrite)

: A primary historical reference where NSSM was used to achieve SYSTEM-level privilege escalation . Copied to clipboard If a standard user can

This article provides an deep dive into why NSSM 2.24 remains a vector for privilege escalation in 2025, how modern detection tools catch it, and—most importantly—what you can do to remediate or exploit these weaknesses ethically.

Ensure that if utility frameworks or wrapper binaries are utilized, they are pulled from official, maintained repositories, signed internally, and validated against known vulnerability databases regularly. 6. Conclusion

CVE‑2025‑41686 is a clear reminder that when it comes to security. The NSSM 2.24 executable is not inherently vulnerable — the flaw lies in how third‑party software installers set permissions on the directory containing the binary. However, because NSSM 2.24 remains the stable version deployed by hundreds of products worldwide, the effective attack surface is enormous.