The NSSM224 privilege escalation exploit works by exploiting a vulnerability in the NSSM224 service manager. The exploit involves the following steps:
If NSSM is used to run a service, do run the service as LocalSystem unless absolutely required. Instead, create a dedicated, low‑privileged service account with only the minimum permissions needed for the application to function. This containment reduces the impact of any successful replacement attack — the malicious payload will run with only the service account’s limited privileges, not full SYSTEM access.
Mechanism C: Weak Service Permissions (SERVICE_CHANGE_CONFIG)
Upon execution, the payload runs under the context of NT AUTHORITY\SYSTEM , granting the attacker persistent, absolute control over the host system. 4. Modern Detection Strategies nssm224 privilege escalation updated
Article last updated: May 2026 – reflects threat intelligence up to Q1 2026.
: When the service starts, it runs the (now replaced) nssm.exe with the service account’s privileges — typically SYSTEM or a high‑privileged administrator account. The malicious payload therefore executes with full administrative rights, allowing the attacker to:
These older vulnerabilities prove that the core issue — insecure file permissions on NSSM‑managed services — has persisted for nearly a decade, across multiple vendors and products. CVE‑2025‑41686 is simply the latest and most widespread instance of this class of vulnerability. The NSSM224 privilege escalation exploit works by exploiting
NSSM naturally spawns child processes. However, if nssm.exe spawns cmd.exe , powershell.exe , or an unsigned binary out of a temporary directory (e.g., C:\Windows\Temp ), an alert should instantly trigger.
The fundamental flaw does not always lie in NSSM’s code itself but rather in the applied to the nssm.exe binary by the hosting application. Many vendors install NSSM with default or weak ACLs (Access Control Lists).
While NSSM 2.24 itself is an older version, it is frequently used by legitimate software and malicious actors alike to maintain persistence on Windows systems. Securelist Vulnerability Overview NSSM 2.24. Vulnerability Type: Local Privilege Escalation (LPE). This containment reduces the impact of any successful
Windows services frequently run under highly privileged accounts, such as LocalSystem ( NT AUTHORITY\SYSTEM ), LocalService , or NetworkService . If a low-privileged user can alter what the service executes, they can inherit the security context of that privileged account.
A standard domain or local user replaces the legitimate nssm.exe or the wrapped application executable with a malicious payload (e.g., a reverse shell generated via MSFvenom). When the service restarts, the malicious payload executes with the privileges assigned to that service (usually SYSTEM ). 2. Registry Permission Flaws
If the permissions are misconfigured (e.g., BUILTIN\Users has Modify rights), the attacker overwrites nssm.exe :