Nssm-2.24 Privilege Escalation ((full)) Jun 2026

If the attacker has write access to the service configuration (often misconfigured in legacy systems), they can proceed.

The most common ways privilege escalation occurs involving NSSM 2.24 include: 1. Insecure File Permissions

Understanding the technical vulnerabilities is only half the battle. To truly appreciate the threat, it is essential to walk through the steps an attacker would take to exploit these flaws in a real-world environment.

This is the most frequent cause of NSSM-related local privilege escalation. nssm-2.24 privilege escalation

Attackers use Windows built-in tools or scripts like PowerUp to find services with weak permissions. A manual command looks like this:

The attacker creates a malicious executable (e.g., a reverse shell) and drops it in C:\Program Files\Application.exe .

The for CVE-2025-41686 and CVE-2016-20033 reflects the ease of exploitation (Low Attack Complexity, Low Privileges Required) and the severe consequences. CVE-2024-51448, with a score of 6.7 (Medium), is less severe because it requires an attacker to already have "High" privileges to exploit it, though it still enables a jump to Administrator. If the attacker has write access to the

The next step is checking the permissions of the directory where the service executable is stored. If the "Authenticated Users" or "Users" group has write access, the system is vulnerable. Tool: icacls "C:\Path\To\Service" 3. The Swap

If a service is installed with a path like C:\Program Files\My App\nssm.exe , and it is not properly quoted, Windows attempts to execute the path in the following order: C:\Program.exe (with args: Files\My App\nssm.exe ) C:\Program Files\My.exe (with args: App\nssm.exe ) C:\Program Files\My App\nssm.exe

The attacker restarts the service (if they have permissions) or waits for a system reboot. To truly appreciate the threat, it is essential

When a standard user is tricked or coerced into running NSSM 2.24 (perhaps via a phishing attack or a malicious script on a shared terminal server), the tool does not properly validate the executable path and arguments before the service starts.

CVE-2024-51448 documents this exact behavior in IBM Robotic Process Automation. All files in the install inherited the file permissions of the parent directory, allowing a non-privileged user to substitute any executable for the nssm.exe service. A subsequent service restart would then execute the attacker's binary with administrator privileges, granting immediate escalation.