Revelwood

Your SUPER-powered WP Engine Site

Nssm-2.24 Privilege Escalation Patched Page

nssm install <ServiceName> <path-to-executable>

A key issue with NSSM 2.24 is its reliance on configuration files (often stored in the registry) and the potential for misconfigured permissions on the service wrapper itself. While NSSM is designed to handle services, it doesn't automatically secure the paths of the applications it launches.

NSSM (Non-Sucking Service Manager) version 2.24 (and possibly prior versions) nssm-2.24 privilege escalation

affected Wowza Streaming Engine version 4.5.0, where improper file permissions granted full access to the Everyone group on the nssm_x64.exe binary. This allowed any authenticated user to replace the binary and execute arbitrary code with LocalSystem privileges when the Wowza services (manager and engine service directories) restarted. The vulnerability carries a CVSSv3.1 base score of 7.8 and a CVSSv4.0 base score of 8.5.

In documented campaigns such as those attributed to the hacking group, attackers have used NSSM as a persistence mechanism to maintain access to compromised systems. The group used NSSM to create and manage services on hosts, allowing them to maintain backdoor access alongside Localtonet for encrypted tunnel connectivity. This allowed any authenticated user to replace the

Consider a scenario where a third-party application uses NSSM 2.24 to run a background service.

If the attacker has write access to the service configuration (often misconfigured in legacy systems), they can proceed. The group used NSSM to create and manage

NSSM 2.24 itself creates a service. If the binary file of the application that NSSM is managing has weak permissions (e.g., Users: Modify or Users: Full Control ), a non-privileged user can replace the application executable with a payload. NSSM is configured to run C:\Service\App.exe . The directory C:\Service\ is writable by standard users. The user replaces App.exe with a malicious executable.

Attackers can install a NSSM service pointing to cmd.exe /c net user backdoor P@ssw0rd /add & net localgroup administrators backdoor /add . After the next reboot, the backdoor user is created.