Nssm224 Privilege Escalation Updated [2021] Jun 2026

It is worth noting that privilege escalation via NSSM is not a new phenomenon. (Rediscovered in 2026) highlighted that Wowza Streaming Engine 4.5.0 suffered from a similar flaw where the Everyone group had full access to the nssm_x64.exe binary, allowing local users to replace the file and execute code as LocalSystem.

Check service security descriptor:

NSSM is an open-source utility designed to run any standard console application ( .exe , .bat , .ps1 ) as a background Windows service. Administrators favor it because it automatically restarts failed applications and manages logging seamlessly.

sc config ExampleService binpath= "\"C:\Program Files\NSSM\nssm.exe\" ExampleService" Use code with caution. 4. Modern Alternatives and Updates

This article explores the mechanics of this local privilege escalation vulnerability, how attackers exploit it using the Non-Sucking Service Manager (NSSM), and how to secure your systems against it. What is NSSM? nssm224 privilege escalation updated

NSSM is a service manager for Windows that allows you to easily install, configure, and manage services. In 2019, a security researcher discovered a vulnerability in NSSM version 224 that could allow an attacker to escalate privileges on a system.

This is the most vulnerability regarding NSSM. It affects Phoenix Contact Device and Update Management (DaUM) versions prior to 2025.3.1 , as well as other software bundling nssm.exe .

However, recent Windows 11 Insider builds present a new prompt when ChangeServiceConfig is called by a non-system process with a modified binary path. This is not yet backported to Server 2022 or Windows 10.

file for a malicious one (e.g., a reverse shell) and wait for a system reboot or service crash. National Institute of Standards and Technology (.gov) 🛠️ Mitigation and Remediation It is worth noting that privilege escalation via

This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.

Jax watched the code scroll. Unlike standard vertical privilege escalation , where an attacker jumps from a user to an admin, this update created a "phantom" tier. It allowed any service running under NSSM224 to inherit the permissions of the kernel itself, bypassing the standard security checks .

The attacker forces a service restart (often possible if they have SERVICE_START permissions or rely on a system reboot):

The most sophisticated variant uses NSSM to restart a service that runs under a PPL-protected account (e.g., WinDefend ). Since NSSM invokes ChangeServiceConfig via RPC, and the RPC call does not validate the caller’s medium integrity level against the target service’s SecurityDescriptor in the same way as a local API call, an attacker with SeImpersonatePrivilege (e.g., from a LOCAL SERVICE breach) can pivot. Modern Alternatives and Updates This article explores the

If the output shows BUILTIN\Users:(F) or (M) (Full Control or Modify), the directory is vulnerable. Step 2: Crafting the Payload

The attacker modifies the registry path to point to a malicious payload, such as a reverse shell executable or a script that adds a new administrator account.

In environments using NSSM 2.24, attackers typically look for the following misconfigurations to escalate to SYSTEM privileges: