net stop <service_name> net start <service_name>
NSSM 2.24 privilege escalation is not a classic buffer overflow or race condition—it is a amplified by common misconfigurations. Attackers love it because it turns a low-privilege foothold into full SYSTEM access with minimal noise.
: A toggle to ensure the service defaults to a virtual account or a low-privileged user instead of the "LocalSystem" account, which is the most frequent target for attackers looking for administrative control. Why this is needed
Before diving into the specifics of NSSM 2.24, it is essential to understand how local privilege escalation (LPE) typically functions within the Windows Services subsystem. nssm-2.24 privilege escalation
: Many applications (e.g., Wowza Streaming Engine, Apache CouchDB, Phoenix Contact) have been found to install NSSM with "Full Control" for the "Everyone" or "Users" group. Attackers can swap the binary with a malicious executable, which then runs with SYSTEM privileges upon the next service restart.
Disclaimer: This post is for educational and defensive purposes only. Unauthorized access to systems is illegal.
If the attacker has the rights to restart the service, they execute: net stop MyCustomService && net start MyCustomService Use code with caution. Why this is needed Before diving into the
: Due to its known behavior and role in historical vulnerabilities (like the Odoo or CouchDB exploits), it is a favorite for Capture The Flag (CTF) challenges and penetration testing certifications.
$ cd C:\ProgramData\SomeApp\bin
The 2.24 version is outdated, and the primary recommendation from the NSSM developers is to upgrade to the 2.25 pre-release builds, which address several bugs, including those related to service handling and stability. Immediate Mitigation Steps: Disclaimer: This post is for educational and defensive
Registry- or link-based redirection
Replace nssm.exe v2.24 with the latest 2.25 pre-release version.
But the real prize is . On many systems, authenticated users can enumerate and modify NSSM-managed services due to overly permissive service security descriptors.
This attack requires no user interaction, only low-level local access. It transforms a standard user account into a de-facto administrator, enabling lateral movement, ransomware deployment, or the extraction of sensitive data. The vulnerability is classified under CWE-306: Missing Authentication for Critical Function , as the process does not verify the identity or permissions of the process replacing the critical binary. In Phoenix Contact’s DaUM (Device and Update Management) implementation, for instance, low-privileged users could replace the executable to gain full administrative control over the industrial management tool.